Bird
Raised Fist0
AWScloud~20 mins

IAM policies (JSON structure) in AWS - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
IAM Policy Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
What is the effect of this IAM policy snippet?
Given this IAM policy snippet, what will be the effect on the user permissions?
AWS
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    }
  ]
}
AThe user is explicitly denied permission to delete the bucket named 'example-bucket'.
BThe user can delete the bucket named 'example-bucket'.
CThe user can perform any action on 'example-bucket' except deleting objects inside it.
DThe user is denied all actions on 'example-bucket'.
Attempts:
2 left
💡 Hint
Look at the Effect and Action fields carefully.
Configuration
intermediate
2:00remaining
Which IAM policy allows listing all S3 buckets?
Select the IAM policy that correctly allows a user to list all S3 buckets in the account.
A
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "*"
  }]
}
B
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::*"
  }]
}
C
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllMyBuckets",
    "Resource": "*"
  }]
}
D
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:ListAllBuckets",
    "Resource": "*"
  }]
}
Attempts:
2 left
💡 Hint
The action name must be exact and the resource for listing all buckets is special.
Architecture
advanced
2:30remaining
Which IAM policy structure correctly restricts access to a specific DynamoDB table?
You want to allow a user to only read items from a DynamoDB table named 'Orders'. Which policy snippet correctly restricts access?
A
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
  }]
}
B
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "dynamodb:*",
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
  }]
}
C
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query"],
    "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/*"
  }]
}
D
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
    "Resource": "*"
  }]
}
Attempts:
2 left
💡 Hint
Restrict the resource ARN to the exact table and limit actions to read-only.
security
advanced
2:00remaining
What error occurs if an IAM policy JSON misses a comma between statements?
Consider this IAM policy JSON snippet missing a comma between two statements. What error will AWS IAM report when you try to apply it?
AWS
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
APolicy applies but only the first statement works.
BAccessDenied error when applying the policy.
CNo error; AWS IAM auto-corrects the JSON.
DSyntax error: Missing comma between JSON objects in the Statement array.
Attempts:
2 left
💡 Hint
JSON syntax requires commas between objects in arrays.
🧠 Conceptual
expert
2:30remaining
What is the final permission effect when multiple IAM policies conflict?
A user has two IAM policies attached: one explicitly allows 'ec2:StartInstances' and another explicitly denies 'ec2:StartInstances'. What is the final permission effect when the user tries to start an EC2 instance?
AThe user is allowed to start the EC2 instance because Allow overrides Deny.
BThe user is denied permission because explicit Deny overrides Allow.
CThe user is allowed only if the Allow policy has higher priority.
DThe user is denied only if the Deny policy is attached directly to the user.
Attempts:
2 left
💡 Hint
Explicit Deny always takes precedence over Allow in IAM.

Practice

(1/5)
1. What is the main purpose of an IAM policy in AWS?
easy
A. To create virtual machines
B. To define permissions for users and resources
C. To monitor network traffic
D. To store data in the cloud

Solution

  1. Step 1: Understand IAM policy role

    An IAM policy is a JSON document that specifies permissions for AWS users, groups, or roles.

  2. Step 2: Identify main function

    Its main function is to control what actions are allowed or denied on AWS resources.

  3. Final Answer:

    To define permissions for users and resources -> Option B

  4. Quick Check:

    IAM policy = permissions definition [OK]
Hint: IAM policies control access permissions in AWS [OK]
Common Mistakes:
  • Confusing IAM policies with data storage
  • Thinking IAM policies monitor network traffic
  • Assuming IAM policies create virtual machines
2. Which of the following is the correct JSON key to specify the effect of a statement in an IAM policy?
easy
A. "Permission"
B. "Action"
C. "Resource"
D. "Effect"

Solution

  1. Step 1: Recall IAM policy statement keys

    IAM policy statements include keys like Effect, Action, Resource, and optionally Condition.

  2. Step 2: Identify key for permission type

    The key that specifies whether to allow or deny is "Effect".

  3. Final Answer:

    "Effect" -> Option D

  4. Quick Check:

    Effect key = permission type [OK]
Hint: Effect key sets allow or deny in IAM policy [OK]
Common Mistakes:
  • Using "Permission" instead of "Effect"
  • Confusing "Action" with permission type
  • Mistaking "Resource" for effect
3. Given this IAM policy statement snippet:
{
  "Effect": "Allow",
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::example-bucket"
}

What permission does this statement grant?
medium
A. Allows listing the bucket itself
B. Allows listing objects inside the bucket
C. Allows deleting the bucket
D. Allows uploading objects to the bucket

Solution

  1. Step 1: Understand the Action "s3:ListBucket"

    This action allows listing the bucket itself and its metadata, not the objects inside.

  2. Step 2: Match Resource and Action

    The resource is the bucket ARN, so permission is to list the bucket (its properties), not the objects inside the bucket.

  3. Final Answer:

    Allows listing the bucket itself -> Option A

  4. Quick Check:

    s3:ListBucket = list bucket (not objects) [OK]
Hint: s3:ListBucket lists the bucket, not objects inside [OK]
Common Mistakes:
  • Confusing ListBucket with listing objects inside the bucket
  • Assuming permission to delete or upload
  • Ignoring the resource ARN level
4. Identify the error in this IAM policy statement:
{
  "Effect": "Allow",
  "Action": ["ec2:StartInstances", "ec2:StopInstances"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "ec2:Region": "us-west-2"
    }
  }
}
medium
A. The Condition key is not valid for EC2 actions
B. The Condition key should be inside the Action key
C. The policy is valid and has no errors
D. The Resource value "*" is not allowed for these actions

Solution

  1. Step 1: Check Condition usage with EC2 actions

    EC2 supports conditions like StringEquals on ec2:Region to restrict actions by region.

  2. Step 2: Verify Resource and structure

    Resource "*" is valid for EC2 start/stop actions because they apply to instances across resources.

  3. Final Answer:

    The policy is valid and has no errors -> Option C

  4. Quick Check:

    Condition on ec2:Region with Resource "*" is valid [OK]
Hint: Conditions can restrict actions by region or other keys [OK]
Common Mistakes:
  • Thinking Condition is invalid for EC2
  • Assuming Resource "*" is always wrong
  • Misplacing Condition inside Action
5. You want to create an IAM policy that allows a user to read objects only from a specific S3 bucket named "my-data-bucket" but denies deleting any objects. Which policy statement correctly achieves this?
hard
A. { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-data-bucket/*" }
B. { "Effect": "Allow", "Action": ["s3:GetObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::my-data-bucket/*" }
C. { "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::my-data-bucket/*" }
D. { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-data-bucket" }

Solution

  1. Step 1: Identify required permissions

    The user needs permission to read objects only, which is "s3:GetObject" on the bucket's objects.

  2. Step 2: Check for delete denial

    Not including "s3:DeleteObject" means no delete permission is granted. Explicit deny is not required if no allow exists.

  3. Step 3: Validate resource ARN

    The resource must include "/*" to specify objects inside the bucket, not the bucket itself.

  4. Final Answer:

    Allow s3:GetObject on objects in my-data-bucket only -> Option A

  5. Quick Check:

    Allow read only, no delete = { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::my-data-bucket/*" } [OK]
Hint: Allow only needed actions; omit delete to deny it [OK]
Common Mistakes:
  • Allowing delete by mistake
  • Using bucket ARN without /* for objects
  • Using wildcard s3:* granting too many permissions