An organization (Account ID 123412341234) has attached the below mentioned IAM policy to a user. What does this
policy statement entitle the user to perform?
{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”]
}]
}
A.
The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK, CLI or APIs
B.
The policy will give an invalid resource error
C.
The policy allows the IAM user to modify all credentials using only the console
D.
The policy allows the user to modify all IAM user’s password, sign in certificates and access keys using only CLI, SDK or APIs
Explanation:
WS Identity and Access Management is a web service which allows organizations to manage users and user permissions
for various AWS services. If the organization (Account ID 123412341234) wants some of their users to manage
credentials (access keys, password, and sing in certificates) of all IAM users, they should set an applicable policy to that
user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user’s usingonly CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for
the IAM users.
{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam::123412341234:user/${aws:username}”] }]
}
D
0
1
D is right answer unless C is a typo error about blank space “Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”].
1
0
D
0
1
‘All IAM users’?? Are you kidding? It specifically states in the policy that he can perform those actions for the current IAM user since a variable is present.
3
1