Practice Test

True or False: An AWS account can only have a single service control policy associated with it at any given time.

  • True
  • False

Answer: False

Explanation: AWS allows multiple service control policies to be associated with an account, all SCPs set on an account applies at the same time.

Which of the following components is NOT part of a service control policy (SCP)?

  • a. Statement
  • b. Resource
  • c. Action
  • d. Effect

Answer: b. Resource

Explanation: The elements of a service control policy (SCP) are statement, action and effect. There is no resource element in SCP.

True or False: A permission boundary in AWS controls maximum permissions that can be granted to an IAM user or role.

  • True
  • False

Answer: True

Explanation: Permission boundaries determine the maximum permissions that an identity-based policy can grant to an IAM entity (user or role).

Which of the following statements is TRUE about Service Control Policies (SCPs)?

  • a. SCPs deny permissions.
  • b. SCPs allow permissions.
  • c. SCPs are IAM policies.
  • d. SCPs are not IAM policies.

Answer: a. SCPs deny permissions.

Explanation: SCPs do not grant permissions, they only define what permissions are not allowed.

True or False: IAM policies and SCPs are evaluated separately in AWS.

  • True
  • False

Answer: True

Explanation: IAM policies and SCPs are evaluated separately in AWS. First, the SCPs take effect, then IAM policies are evaluated.

Multiple select: Which items can you validate in Service Control Policies (SCPs)?

  • a. IAM role permissions
  • b. Resource tag permissions
  • c. IAM user permissions
  • d. S3 bucket policies

Answer: a. IAM role permissions, c. IAM user permissions

Explanation: SCPs allow for validation of IAM role permissions and IAM user permissions but not resource tag permissions or S3 Bucket Policies.

True or False: You can set a permissions boundary for an IAM group.

  • True
  • False

Answer: False

Explanation: Permissions boundaries can be set for IAM users or roles, but not groups.

Single select: In AWS Organizations, what happens if there are no SCPs attached to an account?

  • a. All actions are denied.
  • b. All actions are allowed.
  • c. Some actions are allowed.
  • d. The account is disabled.

Answer: b. All actions are allowed.

Explanation: If there are no service control policies attached to an AWS Account, all actions are allowed.

True or False: SCPs enable whitelist or blacklist access for AWS services.

  • True
  • False

Answer: True

Explanation: SCPs allow administrators to define blacklist (explicit deny) or whitelist (explicit allow) access for AWS services.

Single Select: SCPs are evaluated before which of the following?

  • a. IAM Permission policies
  • b. IAM Identity Policies
  • c. IAM Role Policies
  • d. All of the above

Answer: d. All of the above

Explanation: AWS first evaluates the SCPs and then moves on to evaluate IAM permission policies, IAM identity policies, and IAM role policies.

Interview Questions

What is the primary use-case of Service Control Policies (SCPs) in AWS?

SCPs are primarily used to set fine-grained permissions and to manage permissions in AWS Organizations. They establish the maximum permissions for an organization or organizational unit (OU).

What is the maximum number of SCPs that can be associated with an AWS organization?

You can associate up to five SCPs directly with an AWS organization.

What is a permissions boundary in AWS?

A permissions boundary is an advanced feature in IAM that sets the maximum permissions that an identity-based policy can grant to an IAM entity (user or role).

How does an SCP affect the permissions of an AWS IAM user?

The permissions of an IAM user are determined by the intersection of the user’s IAM identity-based policies and the SCPs associated with the user’s account. If the IAM identity-based policies grant a permission, then the SCP must also allow that permission. If either the IAM policies or SCP does not allow the action, it cannot be performed by the user.

Can you attach an SCP directly to an IAM user or role?

No, SCPs can only be attached to an AWS organization, organizational unit, or an account. They indirectly affect IAM users and roles due to the restrictions they might impose on the permissions those entities can have.

What happens if no SCPs are associated with an organizational unit in AWS?

If no SCPs are directly associated with an organizational unit, then AWS implicitly applies a full AWS Management Console and API access policy, allowing the organizational unit to access all services and actions.

How does a permissions boundary affect an IAM role?

The permissions a role has are defined by the intersection of the permissions policy and the permissions boundary. The role can only have access to actions allowed by both documents. If either one denies an action, the role cannot perform that action.

Can a service control policy (SCP) deny all service actions for your AWS organization?

Yes, an SCP can explicitly deny all service actions across your AWS organization.

Can you attach a permissions boundary to an AWS IAM group?

No, permission boundaries can only be attached to users and roles, not groups.

If you delete a service control policy (SCP), what will happen to the AWS accounts it was attached to?

When an SCP is deleted, it is automatically detached from all AWS accounts it was attached to. The accounts will no longer be affected by the permissions defined in the SCP.

If a permissions boundary allows an action, can an IAM user perform that action?

An IAM user can only perform an action if both their permissions policies and permissions boundary allow it. If either one denies the action, then the user cannot perform it.

Is it possible to use service control policies (SCPs) to delegate permissions to IAM users?

No, SCPs do not delegate permissions. Instead, they define a maximum set of permissions for all the accounts within an organization or Organizational Units. They limit permissions that IAM identity-based policies or resource-based policies grant to entities (users or roles) within the account.

Do service control policies (SCPs) support explicit ‘allow’ statements?

Yes, SCPs support both ‘allow’ and ‘deny’ statements, but ‘deny’ statements take precedence over ‘allow’ statements.

What is the effect of the AWS managed policy named ‘FullAWSAccess’ on SCPs?

The ‘FullAWSAccess’ managed policy allows all actions on all resources, effectively bypassing any limitations put in place by SCPs.

Do Permissions Boundaries affect the permissions of a resource-based policy?

No, Permissions boundaries do not affect a resource-based policy; They limit the maximum permissions an entity can have only when used with an IAM permissions policy.

Leave a Reply

Your email address will not be published. Required fields are marked *