Exam AWS-SysOps topic 1 question 126 discussion

the correct question is: An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform? { “Version”: “2012-10-17”, “Statement”: [{ “Sid”: “AllowUsersAllActionsForCredentials”, “Effect”: “Allow”, “Action”: [ “iam:*LoginProfile”, “iam:*AccessKey*”, “iam:*SigningCertificate*” ], “Resource”: [“arn:aws:iam:: 123412341234:user/${aws:username}”] }] } Ans: D. The policy allows the user to modify all IAM user’s password, sign in certificates and access keys using only CLI, SDK or APIs

Correct answer is (D) as stated in this page: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html "To allow users to perform any action related just to access keys, you can use iam:*AccessKey* in the Action element of a policy statement. This gives the user permission to perform the CreateAccessKey, DeleteAccessKey, GetAccessKeyLastUsed, ListAccessKeys, and UpdateAccessKey actions. (If an action is added to IAM in the future that has "AccessKey" in the name, using iam:*AccessKey* for the Action element will also give the user permission to that new action.) The following example shows a policy that allows users to perform all actions pertaining to their own access keys (replace account-id with your AWS account ID)."

I think A. The policy states an Access key. Answer A is the only answer that talks about access keys.

Ans: D In this case the ARN includes a variable (${aws:username}) that resolves to the current user's name https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html

The correct choice is not present - closest one is (a) but can not modify all Right choice should be - The policy allows the user to Get/Create/Update/Delete the user’s own access keys using only CLI, SDK or APIs. aws:username This is a string containing the friendly name of the current user—see the chart that follows.

My choice is A Refer to: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html To allow users to perform any action related just to access keys, you can use iam:*AccessKey* in the Action element of a policy statement. This gives the user permission to perform the CreateAccessKey, DeleteAccessKey, GetAccessKeyLastUsed, ListAccessKeys, and UpdateAccessKey actions.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.html A looks the correct ans

D When you use a policy variable for the user name like this, you don't have to have a separate policy for each individual user. Instead, you can attach this new policy to an IAM group that includes everyone who should be allowed to manage their own access keys. When a user makes a request to modify his or her access key, IAM substitutes the user name from the current request for the ${aws:username} variable and evaluates the policy.

Answer is D

D. The policy allows the IAM user to modify the IAM user’s own credentials using the console, SDK, CLI or

D is correct.

D is correct Reference item = aws:username This is a string containing the friendly name of the current user—see the chart that follows. from Reference docs = https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html