Challenge - 5 Problems

🎖️

IAM Policy Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ service_behavior

intermediate

2:00remaining

What is the effect of this IAM policy snippet?

Given this IAM policy snippet, what will be the effect on the user permissions?

AWS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    }
  ]
}

AThe user is explicitly denied permission to delete the bucket named 'example-bucket'.

BThe user can delete the bucket named 'example-bucket'.

CThe user can perform any action on 'example-bucket' except deleting objects inside it.

DThe user is denied all actions on 'example-bucket'.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Which IAM policy allows listing all S3 buckets?

Select the IAM policy that correctly allows a user to list all S3 buckets in the account.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllBuckets",
    "Resource": "*"
  }]
}

Attempts:

2 left

❓ Architecture

advanced

2:30remaining

Which IAM policy structure correctly restricts access to a specific DynamoDB table?

You want to allow a user to only read items from a DynamoDB table named 'Orders'. Which policy snippet correctly restricts access?

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "dynamodb:*",
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query"],
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/*"
  }]
}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
    "Resource": "*"
  }]
}

Attempts:

2 left

❓ security

advanced

2:00remaining

What error occurs if an IAM policy JSON misses a comma between statements?

Consider this IAM policy JSON snippet missing a comma between two statements. What error will AWS IAM report when you try to apply it?

AWS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

APolicy applies but only the first statement works.

BAccessDenied error when applying the policy.

CNo error; AWS IAM auto-corrects the JSON.

DSyntax error: Missing comma between JSON objects in the Statement array.

Attempts:

2 left

🧠 Conceptual

expert

2:30remaining

What is the final permission effect when multiple IAM policies conflict?

A user has two IAM policies attached: one explicitly allows 'ec2:StartInstances' and another explicitly denies 'ec2:StartInstances'. What is the final permission effect when the user tries to start an EC2 instance?

AThe user is allowed to start the EC2 instance because Allow overrides Deny.

BThe user is denied permission because explicit Deny overrides Allow.

CThe user is allowed only if the Allow policy has higher priority.

DThe user is denied only if the Deny policy is attached directly to the user.

Attempts:

2 left