Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

Security and Access Review Quiz

Comprehensive review quiz covering IAM, root user, roles, policies, MFA, least privilege, AWS security service recognition, Artifact, encryption, Organizations, and SCPs from Module 5.2.

25 min
Introductory

Learning outcomes

By the end of this lesson, the learner can:

  1. Distinguish between IAM identities and policies.
  2. Explain root user, IAM user, IAM role, MFA, and least privilege.
  3. Recognize the main role of key AWS security services.
  4. Choose the right security service for a simple scenario. AWS's IAM and security-service docs clearly separate access control, threat detection, auditing, configuration tracking, and secrets/key management. (AWS Documentation)

Module 5.2 review snapshot

This module covered two main areas.

First, IAM and access patterns:

  • AWS recommends protecting the root user, requiring MFA, preferring federation and temporary credentials for human users, and using IAM roles for workloads where possible. (AWS Documentation)
  • IAM policies are JSON permission documents attached to identities such as users, groups, and roles. (AWS Documentation)
  • Least privilege means granting only the permissions required to perform a task. (AWS Documentation)

Second, security-service recognition:

  • WAF filters web requests, while Shield focuses on DDoS protection. (AWS Documentation)
  • GuardDuty detects suspicious or malicious activity, while Inspector finds vulnerabilities and unintended network exposure. (AWS Documentation)
  • Macie discovers sensitive data in S3. (AWS Documentation)
  • CloudTrail records actions and events, while Config tracks configuration state and history. (AWS Documentation)
  • KMS manages encryption keys, while Secrets Manager stores and rotates secrets. (AWS Documentation)

A simple summary is:

This module is about who can access AWS, how that access should be protected, and which AWS security service fits which kind of security problem. (AWS Documentation)

Mixed security and access review quiz

Quiz — 20 Questions

Take this quiz in a focused, distraction-free view. Hints available for each question.

Reflection questions

Think about it

Why does AWS recommend not using the root user for everyday work?

Think about it

What is the difference between an IAM user and an IAM role?

Think about it

Why are broad wildcard permissions riskier than least-privilege permissions?

Think about it

What is the biggest difference between WAF and Shield?

Think about it

What is the biggest difference between GuardDuty and Inspector?

Think about it

What is the biggest difference between CloudTrail and Config?

Think about it

What is the biggest difference between KMS and Secrets Manager?

Think about it

A team wants to know whether one of their EC2 instances or container images has a vulnerability. Which service is the strongest fit?

Think about it

A team wants to know whether suspicious API behavior or compromised credentials are being detected in their AWS environment. Which service is the strongest fit?

Think about it

A team wants a central place to prioritize and respond to security issues coming from multiple security tools. Which service is the strongest fit?

Answer key

A1: B. IAM is AWS's access-control layer. AWS's IAM best-practices page centers IAM around identities, credentials, MFA, policies, and permissions. (AWS Documentation)

A2: B. AWS says an IAM policy is a JSON document that grants permissions when attached to an IAM identity. (AWS Documentation)

A3: B. AWS defines least privilege as granting only the permissions required to perform a task. (AWS Documentation)

A4: Because AWS recommends using the root user only for tasks that require it, protecting it heavily, and using another administrative identity for normal daily work. (AWS Documentation)

A5: B. AWS says IAM roles are assumable identities that provide temporary security credentials and do not have standard long-term credentials like passwords or access keys. (AWS Documentation)

A6: An IAM user is a named identity with long-term credentials, while an IAM role is an assumable identity that gives temporary credentials when used. AWS's best-practices and role guidance make that distinction explicit. (AWS Documentation)

A7: B. AWS says MFA adds an additional authentication factor after username and password. (AWS Documentation)

A8: Because broad wildcard permissions grant more access than needed, which increases risk if the identity is misused or compromised. AWS explicitly warns that broad managed policies and wildcards are not least privilege. (AWS Documentation)

A9: B. AWS WAF is the service for filtering and controlling web requests. (AWS Documentation)

A10: A. AWS Shield is the DDoS protection service. AWS says Shield Standard is automatically included and Shield Advanced adds more capabilities. (AWS Documentation)

A11: WAF is for inspecting and controlling web requests with rules, while Shield is for DDoS protection. (AWS Documentation)

A12: B. GuardDuty is AWS's threat-detection service that uses data sources, threat intelligence, and machine learning to find suspicious activity. (AWS Documentation)

A13: A. Inspector scans EC2, ECR images, and Lambda for vulnerabilities and unintended network exposure. (AWS Documentation)

A14: GuardDuty detects suspicious or malicious behavior, while Inspector finds vulnerabilities and exposure issues in workloads. (AWS Documentation)

A15: A. Macie discovers sensitive data in S3 and provides visibility into S3 data-security risks. (AWS Documentation)

A16: B. CloudTrail records actions taken by users, roles, and AWS services as events. (AWS Documentation)

A17: A. AWS Config tracks resource configuration and configuration history over time. (AWS Documentation)

A18: CloudTrail records actions and events, while Config tracks the configuration state of resources and how that configuration changed over time. (AWS Documentation)

A19: B. AWS KMS manages encryption keys. (AWS Documentation)

A20: B. Secrets Manager stores and rotates secrets such as passwords, tokens, and API keys. (AWS Documentation)

A21: KMS manages encryption keys, while Secrets Manager stores and rotates secret values. Secrets Manager can also use KMS for encryption. (AWS Documentation)

A22: Inspector. AWS says Inspector scans EC2, ECR images, and Lambda for vulnerabilities and unintended network exposure. (AWS Documentation)

A23: GuardDuty. AWS says GuardDuty detects suspicious activity, including findings related to compromised credentials and unusual behavior. (AWS Documentation)

A24: Security Hub. AWS describes Security Hub as helping prioritize and respond to security issues from multiple sources by correlating and enriching security signals. (AWS Documentation)

A25: B. AWS Artifact is the self-service portal for downloading compliance reports like SOC 1/2/3, PCI DSS, and ISO certifications. (AWS Documentation)

A26: C. At rest means data stored on disk (e.g., S3 objects, EBS volumes). In transit means data moving between two points (e.g., browser to ALB over HTTPS). (AWS Documentation)

A27: B. GuardDuty analyzes VPC Flow Logs, CloudTrail, and DNS logs to detect threats like compromised instances communicating with known bad IPs. (AWS Documentation)

A28: C. AWS Organizations lets you centrally manage multiple AWS accounts, group them into OUs, apply SCPs as guardrails, and consolidate billing. (AWS Documentation)

A29: B. SCPs set the maximum permission boundary across accounts or OUs. IAM policies grant specific permissions within one account. Both must allow an action for it to succeed. (AWS Documentation)

A30: C. AWS Security Hub aggregates, organizes, and prioritizes findings from GuardDuty, Inspector, Macie, and third-party tools into a single pane of glass. (AWS Documentation)

Module 5.2 wrap-up

At this point, a learner should be able to say:

  • IAM controls access.
  • Root is rare and heavily protected.
  • Users are named long-term identities.
  • Roles are temporary access identities.
  • Policies define permissions.
  • MFA and least privilege are core habits.
  • WAF, Shield, GuardDuty, Inspector, Macie, Security Hub, CloudTrail, Config, KMS, and Secrets Manager all solve different security problems.
  • AWS Artifact provides compliance reports; AWS Config evaluates your resources.
  • Encryption at rest uses KMS keys; encryption in transit uses TLS/SSL and ACM.
  • AWS Organizations manages multiple accounts with OUs and SCPs as guardrails. (AWS Documentation)

Next lesson

Unit 5, Module 5.3: Billing, Pricing, and Support Lesson 5.9: Pay-as-You-Go, Free Tier, and Cost Tools Review