An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user. What
does this policy statement entitle the user to perform?
{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”]
}]
}

A.
The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK, CLI or APIs

B.
The policy will give an invalid resource error

C.
The policy allows the IAM user to modify all credentials using only the console

D.
The policy allows the user to modify all IAM user’s password, sign in certificates and access keys
using only CLI, SDK or APIs

Explanation:
WS Identity and Access Management is a web service which allows organizations to manage users and user
permissions for various AWS services. If the organization (Account ID 123412341234. wants some of their
users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set
an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify
the credentials of all IAM user’s using only CLI, SDK or APIs. The user cannot use the AWS console for this
activity since he does not have list permission for the IAM users.

{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam::123412341234:user/${aws:username}”]
}]
}