MORE questions

Don't stop learning.

README.md

@@ -2,11 +2,11 @@
 
 :information_source:  This repo contains questions and exercises on various technical topics, sometimes related to DevOps and SRE :)
 
-:bar_chart:  There are currently **1899** questions
+:bar_chart:  There are currently **1962** questions
 
 :books:  To learn more about DevOps and SRE, check the resources in [devops-resources](https://github.com/bregman-arie/devops-resources) repository
 
-:warning:  You can use these for preparing for an interview but most of the questions and exercises don't represent an actual interview. Please read [FAQ page](common-qa.md) for more details
+:warning:  You can use these for preparing for an interview but most of the questions and exercises don't represent an actual interview. Please read [FAQ page](faq.md) for more details
 
 :busts_in_silhouette:  [Join](https://www.facebook.com/groups/538897960007080) our [DevOps community](https://www.facebook.com/groups/538897960007080) where we have discussions and share resources on DevOps
 
@@ -941,7 +941,10 @@ False. Auto scaling adjusts capacity and this can mean removing some resources b
 |Name|Topic|Objective & Instructions|Solution|Comments|
 |--------|--------|------|----|----|
 | Create a User | IAM | [Exercise](exercises/aws/create_user.md) | [Solution](exercises/aws/solutions/create_user.md) | |
-| Password Policy | IAM | [Exercise](exercises/aws/password_policy.md) | [Solution](exercises/aws/solutions/password_policy.md) | |
+| Password Policy | IAM | [Exercise](exercises/aws/password_policy_and_mfa.md) | [Solution](exercises/aws/solutions/password_policy_and_mfa.md) | |
+| Create a role | IAM | [Exercise](exercises/aws/create_role.md) | [Solution](exercises/aws/solutions/create_role.md) | |
+| Credential Report | IAM | [Exercise](exercises/aws/credential_report.md) | [Solution](exercises/aws/solutions/credential_report.md) | |
+| Access Advisor | IAM | [Exercise](exercises/aws/access_advisor.md) | [Solution](exercises/aws/solutions/access_advisor.md) | |
 
 #### AWS - Lambda
 
@@ -994,8 +997,8 @@ False. The minimum is 2 while the maximum is 6.
 <details>
 <summary>What is IAM? What are some of its features?</summary><br><b>
 
-Full explanation is [here](https://aws.amazon.com/iam)
-In short: it's used for managing users, groups, access policies & roles
+In short, it's used for managing users, groups, access policies & roles
+Full explanation can be found [here](https://aws.amazon.com/iam)
 </b></details>
 
 <details>
@@ -1023,12 +1026,13 @@ False. Users can belong to multiple groups.
 </b></details>
 
 <details>
-<summary>What best practices are there regarding IAM in AWS?</summary><br><b>
+<summary>What are some best practices regarding IAM in AWS?</summary><br><b>
 
-* Set up MFA
-* Delete root account access keys
-* Create IAM users instead of using root for daily management
+* Delete root account access keys and don't use root account regularly
+* Create IAM user for any physical user. Don't share users.
 * Apply "least privilege principle": give users only the permissions they need, nothing more than that.
+* Set up MFA and consider enforcing using it
+* Make use of groups to assign permissions ( user -> group -> permissions )
 </b></details>
 
 <details>
@@ -1037,11 +1041,25 @@ False. Users can belong to multiple groups.
 Only a login access.
 </b></details>
 
+<details>
+<summary>True or False? If a user in AWS is using password for authenticating, he doesn't needs to enable MFA</summary><br><b>
+
+False(!). MFA is a great additional security layer to use for authentication.
+</b></details>
+
+<details>
+<summary>What ways are there to access AWS?</summary><br><b>
+
+  * AWS Management Console
+  * AWS CLI
+  * AWS SDK
+</b></details>
+
 <details>
 <summary>What are Roles?</summary><br><b>
 
-A way for allowing a service of AWS to use another service of AWS. You assign roles to AWS resources.
-For example, you can make use of a role which allows EC2 service to acesses s3 buckets (read and write).
+[AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html): "An IAM role is an IAM identity that you can create in your account that has specific permissions...it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS."
+For example, you can make use of a role which allows EC2 service to access s3 buckets (read and write).
 </b></details>
 
 <details>
@@ -1067,7 +1085,7 @@ There can be several reasons for that. One of them is lack of policy. To solve t
 </b></details>
 
 <details>
-<summary>What statements are consist of in AWS IAM policies?</summary><br><b>
+<summary>What statements AWS IAM policies support?</summary><br><b>
 
 * Sid: identifier of the statement (optional)
 * Effect: allow or deny access
@@ -1097,6 +1115,19 @@ There can be several reasons for that. One of them is lack of policy. To solve t
 This policy permits to perform any action on any resource. It happens to be the "AdministratorAccess" policy.
 </b></details>
 
+<details>
+<summary>What security tools AWS IAM provides?</summary><br><b>
+
+* IAM Credentials Report: lists all the account users and the status of their credentials
+* IAM Access Advisor: Shows service permissions granted to a user and information on when he accessed these services the last time
+</b></details>
+
+<details>
+<summary>Which tool would you use to optimize user permissions by identifying which services he doesn't regularly (or at all) access?</summary><br><b>
+
+IAM Access Advisor
+</b></details>
+
 #### AWS - Compute
 
 <details>
@@ -2307,7 +2338,13 @@ Learn more [here](https://aws.amazon.com/professional-services/CAF)
 <details>
 <summary>What is AWS Cloud9?</summary><br><b>
 
-AWS definition: "AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser"
+AWS: "AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser"
+</b></details>
+
+<details>
+<summary>What is AWS CloudShell?</summary><br><b>
+
+AWS: "AWS CloudShell is a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources."
 </b></details>
 
 <details>
@@ -2376,7 +2413,6 @@ Packets that are sent on the ethernet are always coming from a MAC address and s
 <details>
 <summary>When is this MAC address used?: ff:ff:ff:ff:ff:ff</summary><br><b>
 
-
 When a device sends a packet to the broadcast MAC address (FF:FF:FF:FF:FF:FF​), it is delivered to all stations on the local network. It needs to be used in order for all devices to receive your packet at the datalink layer.
 </b></details>
 
@@ -2496,15 +2532,13 @@ CSMA/CD algorithm:
 
 A router is a physical or virtual appliance that passes information between two or more packet-switched computer networks. A router inspects a given data packet's destination Internet Protocol address (IP address), calculates the best way for it to reach its destination and then forwards it accordingly.
 
-
 </b></details>
 
 <details>
 <summary>What is NAT?</summary><br><b>
 
  Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts.
 
-
 </b></details>
 
 <details>
@@ -2515,8 +2549,6 @@ A proxy server acts as a gateway between you and the internet. It’s an interme
 If you’re using a proxy server, internet traffic flows through the proxy server on its way to the address you requested. The request then comes back through that same proxy server (there are exceptions to this rule), and then the proxy server forwards the data received from the website to you.
 
 roxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy.
-
-
 </b></details>
 
 <details>

exercises/aws/access_advisor.md

@@ -0,0 +1,9 @@
+## AWS IAM - Access Advisor
+
+### Objectives
+
+Go to the Access Advisor and answer the following questions regarding one of the users:
+
+1. Are there services this user never accessed?
+2. What was the last service the user has accessed?
+3. What the Access Advisor is used/good for?

exercises/aws/create_role.md

@@ -0,0 +1,16 @@
+## AWS - Create a Role
+
+### Objectives
+
+Create a basic role to provide EC2 service with Full IAM access permissions.<br>
+In the end, run from the CLI (or CloudShell) the command to verify the role was created.
+
+### Solution
+
+1. Go to AWS console -> IAM
+2. Click in the left side menu on "Access Manamgement" -> Roles
+3. Click on "Create role"
+3. Choose "AWS service" as the type of trusted entity and then choose "EC2" as a use case. Click on "Next"
+4. In permissions page, check "IAMFullAccess" and click on "Next" until you get to "Review" page
+5. In the "Review" page, give the role a name (e.g. IAMFullAcessEC2), provide a short description and click on "Create role"
+6. `aws iam list-roles` will list all the roles in the account, including the one we've just created.

exercises/aws/password_policy_and_mfa.md

@@ -0,0 +1,12 @@
+## AWS IAM - Password Policy & MFA
+
+Note: DON'T perform this exercise unless you understand what you are doing and what is the outcome of applying these changes to your account
+
+### Objectives
+
+1. Create password policy with the following settings:
+  1. At least minimum 8 characters
+  2. At least one number
+  3. Prevent password reuse
+
+2. Then enable MFA for the account.

exercises/aws/solutions/access_advisor.md

@@ -0,0 +1,18 @@
+## AWS IAM - Access Advisor
+
+### Objectives
+
+Go to the Access Advisor and answer the following questions regarding one of the users:
+
+1. Are there services this user never accessed?
+2. What was the last service the user has accessed?
+3. What the Access Advisor is used/good for?
+
+### Solution 
+
+1. Go to AWS IAM service and click on "Users" under "Access Management"
+2. Click on one of the users
+3. Click on the "Access Advisor" tab
+4. Check which service was last accessed and which was never accessed
+
+Access Advisor can be good to evaluate whether there are services the user is not accessing (as in never or not frequently). This can be help in deciding whether some permissions should be revoked or modified.

exercises/aws/solutions/create_role.md

@@ -0,0 +1,16 @@
+## AWS - Create a Role
+
+### Objectives
+
+Create a basic role to provide EC2 service with Full IAM access permissions.<br>
+In the end, run from the CLI (or CloudShell) the command to verify the role was created.
+
+### Solution
+
+1. Go to AWS console -> IAM
+2. Click in the left side menu on "Access Manamgement" -> Roles
+3. Click on "Create role"
+3. Choose "AWS service" as the type of trusted entity and then choose "EC2" as a use case. Click on "Next"
+4. In permissions page, check "IAMFullAccess" and click on "Next" until you get to "Review" page
+5. In the "Review" page, give the role a name (e.g. IAMFullAcessEC2), provide a short description and click on "Create role"
+6. `aws iam list-roles` will list all the roles in the account, including the one we've just created.

exercises/aws/solutions/credential_report.md

@@ -0,0 +1,18 @@
+## AWS - Credential Report
+
+### Objectives
+
+1. Create/Download a credential report
+2. Answer the following questions based on the report:
+  1. Are there users with MFA not activated?
+  2. Are there users with password enabled that didn't 
+3. Explain the use case for using the credential report
+
+### Solution
+
+1. Go to the AWS IAM service
+2. Under "Access Reports" click on "Credential report"
+3. Click on "Download Report" and open it once it's downloaded
+4. Answer the questions in this exercises by inspecting the report
+
+The credential report is useful to identify whether there any users who need assistance or attention in regards to their security. For example a user who didn't change his password for a long time and didn't activate MFA.

exercises/aws/solutions/password_policy_and_mfa.md

@@ -0,0 +1,32 @@
+## AWS IAM - Password Policy & MFA
+
+Note: DON'T perform this exercise unless you understand what you are doing and what is the outcome of applying these changes to your account
+
+### Objectives
+
+1. Create password policy with the following settings:
+  1. At least minimum 8 characters
+  2. At least one number
+  3. Prevent password reuse
+
+2. Then enable MFA for the account.
+
+### Solution
+
+Password Policy:
+
+1. Go to IAM service in AWS
+2. Click on "Account settings" under "Access management"
+3. Click on "Change password policy"
+  1. Check "Enforce minimum password length" and set it to 8 characters
+  1. Check "Require at least one number"
+  1. Check "Prevent password reuse"
+4. Click on "Save changes"
+
+MFA:
+
+1. Click on the account name
+2. Click on "My Security Credentials"
+3. Expand "Multi-factor authentication (MFA)" and click on "Activate MFA"
+4. Choose one of the devices
+5. Follow the instructions to set it up and click on "Assign MFA"

common-qa.md → faq.md

@@ -6,34 +6,39 @@ Most frequently asked questions.
 
 Learning, of course.
 
-### My goal is to prepare for a DevOps interviews. How to do that?
+### My goal is to prepare for a DevOps interviews. Should I use this repository?
 
-I've added a couple of suggestions [here](prepare_for_interview.md)<br>
 Overall, this repository should help you learn some concepts but, don't assume at any point that your interview will include similar questions to those that included in this repository.
+Regarding interview, I've added a couple of suggestions [here](prepare_for_interview.md)<br>
+
+### Will you stop at some point adding questions and exercises?
+
+All good things come to an end...
 
 ### How do I become a better DevOps Engineer?
 
 That's a great question.<br>
-I don't have a definitive answer for this question, but try the following:
+I don't have a definitive answer for this question, I'm exploring it myself from time to time. What I believe helps is to:
 
-  * Practice - Practicing DevOps practically should be the primary way used to become a DevOps engineer
-  * Read - Read blogs, books, ... anything that can enrich your knowledge about DevOps or related DevOps topics
+  * Practice - Practicing DevOps practically should be the primary way to become a DevOps engineer in my opinion
+  * Read - blogs, books, ... anything that can enrich your knowledge about DevOps or related DevOps topics
   * Participate - there are great DevOps communities. I personally like [Reddit DevOps community](https://www.reddit.com/r/devops). Visiting there, I learn quite a lot on different topics.
-  * Share - This is one of the reasons I created this project. Primary goal was to help others but a secondary goal quickly became to learn more. By asking questions, you actually learn better a certain topic. Try it out, take a certain subject and try to come up with questions you would ask someone to test his/her skills.
+  * Share - This is one of the reasons I created this project. Primary goal was to help others but a secondary goal quickly became to learn more. By asking questions, you actually learn better a certain topic. Try it out, take a certain subject and try to come up with questions you would ask someone to test his/her skills about that topic.
 
 ### Why most of the questions don't have answers?
 
-Because we need more contributors ;)
+1. Because we need more contributors
+2. Because often asking questions is easier than answering them
 
 ### Where can I find answers to some of the questions in this repository?
 
 1. Search for them using search engines, documentation pages, ... this is part of being a DevOps engineer
-2. Use the communities - many people will be happy to help and answer your questions
+2. Use the communities: many people will be happy to help and answer your questions
 3. Ask us. If you want, you can contact me or even open an issue that is only a question, that's totally fine :)
 
 ### Where the questions and answers are coming from?
 
-Well, from everywhere - past experience, colleagues, contributors, ... but please note we do not allow copying interview questions from interview questions sites to here. There are people who worked hard on adding those to their sites and we respect that.<br>
+Well, everywhere! - past experience, colleagues, contributors, ... but please note we do not allow copying interview questions from interview questions sites to here. There are people who worked hard on adding those to their sites and we respect that.<br>
 As an evidence, we did deny pull requests with copied content from other sites.
 
 ### What are the top DevOps skills required for being a DevOps Engineer?
@@ -66,6 +71,8 @@ I'll simply imagine you didn't ask that on an open source project... :)
 ### Why can't I add installation questions?
 
 In general, I prefer questions added to this repository will have certain educational value for the user. Either regarding a certain concept or even a very general question, but one that will make the user research on a certain topic and will make him eventually more familiar with some of its core concepts.<br>
+I know that this is not the case for every question in this repo as of today (e.g. questions about specific commands) but this is definitely something to aspire for.
+
 I see little to none value in what is known as "Installation Questions". Let's say I ask you "how to install Jenkins?". Should I conclude from your answer that you are familiar with what is Jenkins and/or how it works? In other words, is there a value in knowing how to install Jenkins? In my opinion, no.
 
 ### Where can I practice coding?
@@ -91,3 +98,8 @@ For example:
 2. The act of adding additional instances to the pool to handle scaling is called ________ scaling
 
 You are right, both ask about horizontal scaling but it's done from a different angle in every question and in addition, I do believe repetition helps you to learn something in a way where you are not fixed on the way it's asked, rather you understand the concept itself.
+
+### Are you open for making big changes in the repository?
+
+Absolutely. Don't be afraid to raise ideas and start discussions.<br>
+I'll be more than happy to discuss any change you think we should make to improve the learning experience