Consider an IAM user who is part of a group with specific permissions. What is the effect on the user's permissions immediately after they are removed from that group?
Think about how AWS evaluates permissions dynamically.
When a user is removed from a group, the permissions granted by that group are revoked immediately. AWS evaluates permissions in real time, so the user no longer inherits the group's permissions right after removal.
A company has three departments: Sales, Engineering, and HR. Each department needs different AWS permissions. What is the best way to organize IAM users and groups to manage permissions efficiently?
Think about how groups help manage permissions for many users.
Using one group per department allows you to assign permissions once to the group. Then, adding or removing users from groups automatically grants or revokes the correct permissions. This is efficient and scalable.
Consider a scenario where permissions are assigned directly to individual IAM users rather than through groups. What is a key security risk of this approach?
Think about managing many users and tracking their permissions.
Assigning permissions directly to users can lead to inconsistent permissions across users and makes it harder to audit and manage permissions. Groups help centralize and simplify permission management.
If an IAM group has multiple policies attached, how are the permissions combined for users in that group?
Think about how AWS evaluates multiple policies together.
AWS combines permissions from all attached policies by taking the union of allowed actions. This means users get all permissions granted by any of the policies.
An IAM user needs temporary elevated permissions for a specific task. Which approach follows AWS best practices for security?
Think about temporary access and avoiding permanent permission changes.
Using roles that users can assume temporarily is the best practice. It avoids permanent permission changes and reduces risk by granting elevated permissions only when needed.