Practice Test

True or False? Resource-based policies in AWS are account-level policies that are attached to resources.

Answer: False.

Explanation: Resource-based policies are not account-level policies. They are policy statements that you attach to a resource such as a bucket in Amazon S

In IAM, which type of policy is used to specify what actions are allowed or denied by an entity?

  • a) Service policy
  • b) Principal policy
  • c) None of the above

Answer: b) Principal policy

Explanation: In IAM, Principal policies are those that specify what actions are allowed or denied by an entity.

True or False? Resource-based policies can either allow or deny access to your AWS resources.

Answer: True.

Explanation: Resource-based policies can both allow and deny permissions. They determine who can access the resource and what actions they can perform on it.

Can a user policy be attached to multiple AWS accounts?

  • a) Yes
  • b) No

Answer: b) No

Explanation: A user policy is attached to a user in a specific account and does not span multiple accounts.

What type of policy would you use to specify permissions that can be applied across all users and roles within an account?

  • a) SCP
  • b) User policy
  • c) Group policy
  • d) None of the above

Answer: a) SCP

Explanation: AWS Organizations uses service control policies (SCPs) to centrally control access permissions in your organization.

An Amazon EC2 instance assuming a role to obtain temporary security credentials is an example of:

  • a) Service policy
  • b) Resource-based policy
  • c) Principal policy
  • d) None of the above

Answer: c) Principal policy

Explanation: This is an example of principal policy, where a principal (an EC2 instance in this case) is allowed to assume a role to obtain temporary security credentials.

True or False? Service policies are global and apply across all regions.

Answer: True.

Explanation: Service policies by their nature are global and are applied across all regions.

Service control policies (SCPs) are a type of ——-

  • a) Resource-based policies
  • b) Principal policies
  • c) Service policies
  • d) None of the above

Answer: c) Service policies

Explanation: SCPs are a type of service policy that you can use to manage permissions in your organization.

True or False? By default, an IAM user has no permissions unless you explicitly grant them.

Answer: True.

Explanation: In IAM, by default, users don’t have permissions to do anything until you grant them.

Which policy type can be used to delegate permissions to AWS services to carry out actions on your behalf?

  • a) Resource-based policies
  • b) Service policies
  • c) Principal policies
  • d) None of the above

Answer: b) Service policies

Explanation: Service policies delegate permissions to AWS services to carry out actions on your behalf.

Interview Questions

What is a Resource-based policy in AWS?

A Resource-based policy is a policy attached to a resource in AWS. For example, S3 bucket policy, KMS key policy, etc. They include information about who can access that resource and what actions they can perform.

How are principal policies different from resource-based policies?

Principal policies are attached to users or groups and define what actions these users or groups can carry out. On the other hand, Resource-based policies are policies applied to resources and define who or what can access that resource and what actions they can perform.

What are services control policies (SCPs) in AWS?

Service Control Policies (SCPs) are a type of policy that can be used to manage permissions in AWS Organizations. SCPs offer central control over the maximum permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines.

What is the purpose of AWS Identity and Access Management (IAM) in the context of resource-based policies, service policies, and principal policies?

IAM is a web service that helps you securely control access to AWS resources for your users. You can use IAM to control who is authenticated and authorized to use resources.

Can a resource-based policy and identity-based policy be attached to an AWS resource or service at the same time?

Yes, a resource-based policy and identity-based policy can be attached to an AWS resource. Both policies would collectively define the access to the resource.

What is the result of the combination of permissions rules (principal policy, resource-based policy, etc) when a principal makes a request in AWS?

At the end of the policy evaluation process for a request, if there is a single explicit deny, then the request is denied. If it’s not explicitly denied, the service checks for explicit allows. If there’s at least one explicit allow, then the request is allowed.

Can a service control policy (SCP) deny permissions to an AWS root user?

Yes, an SCP can deny permissions to an AWS root user. If an SCP denies a root user to carry out a particular action, the root user is not able to perform that action.

What is the purpose of an AWS managed policy?

AWS managed policies are designed to provide permissions necessary to carry out specific tasks. AWS maintains and updates these policies when their services’ permissions change.

How can you restrict a specific IAM user from performing certain actions in AWS?

You can restrict certain actions by attaching a policy to the user or group defining a “Deny” rule for those actions.

Can you attach a service policy directly to a resource in AWS?

No, service policies like SCPs are attached to an AWS organization, not to a particular resource. They control the actions that services can perform for all the accounts in the organization.

What is the function of the “Effect” element in an AWS policy?

The “Effect” element in a policy specifies whether the policy allows or denies access.

In which format are AWS policies written?

AWS policies are written in JavaScript Object Notation (JSON).

Is it possible to use both AWS managed policies and inline policies alongside?

Yes, you can use both AWS managed policies and inline policies at the same time for a user, group, or role.

What type of AWS policy primarily controls Cross-Account access?

Resource-based policies are used to control cross-account access. These policies are attached to resources and specify which principals in other accounts are allowed to access the resources.

What role does the principal element play in AWS policies?

The principal in an AWS policies is the entity (user or service) that is allowed or denied access to a resource. In a role trust policy, the principal element defines who can assume the role.

Leave a Reply

Your email address will not be published. Required fields are marked *