An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a
user. What does this policy statement entitle the user to perform?
{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”,
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”]
}]
}

A.
The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK, CLI
or APIs

B.
The policy will give an invalid resource error

C.
The policy allows the IAM user to modify all credentials using only the console

D.
The policy allows the user to modify all IAM user’s password, sign in certificates and access
keys
using only CLI, SDK or APIs

Explanation:
WS Identity and Access Management is a web service which allows organizations to manage
users and user permissions for various AWS services. If the organization (Account ID
123412341234. wants some of their users to manage credentials (access keys, password, and
sing in certificates. of all IAM users, they should set an applicable policy to that user or group of
users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user’s
using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does
not have list permission for the IAM users.
{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “AllowUsersAllActionsForCredentials”,
“Effect”: “Allow”
“Action”: [
“iam:*LoginProfile”,
“iam:*AccessKey*”,
“iam:*SigningCertificate*”
],
“Resource”: [“arn:aws:iam::123412341234:user/${aws:username}”]
}]
}