An organization (Account ID 123412341234) has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform?
A.
The policy allows the IAM user to modify all IAM user's credentials using the console, SDK, CLI or APIs
B.
The policy will give an invalid resource error
C.
The policy allows the IAM user to modify all credentials using only the console
D.
The policy allows the user to modify all IAM user's password, sign in certificates and access keys using only CLI, SDK or APIs
Suggested Answer:D🗳️
WS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234) wants some of their users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user's using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for the IAM users.
this question is wrong. None of the answers are correct. The Resource statement restricts the access to the logged user. So the user who has the policy attached can change his own credentials.
I agree with you here after reading your link.
Variable substitution also simplifies allowing users to manage their own credentials. If you have many users, you may find it impractical to create individual policies that allow users to create and rotate their own credentials. With variable substitution, this becomes trivial to implement as a group policy. The following policy permits any IAM user to perform any of the key and certificate related actions on their own credentials.
With the options available I will go with D
Initially I thought, the user who logged in aws have the privs to modify only their pw,access & certificates only.
if ${aws:username} mentioned in "Resource": will mean the current user who logged in AWS have the permission to modify all IAM users's password,access keys, certificates since profile used *
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Finger41
9 months, 1 week agowaterzhong
10 months, 3 weeks agoawscertified
1 year, 6 months agoawscertified
1 year, 6 months agoGolddust
1 year, 6 months agokarmaah
1 year, 6 months agoawsnoob
1 year, 7 months ago