IAM Policies

Question 1

What is an IAM policy?

Answer 1

A policy is a document that formally states one or more permissions.

Question 2

What would happen if a user had both an explicit allow policy & an explicit deny policy set?

Answer 2

By default, an explicit deny policy will always override an explicit allow policy.

Question 3

Imagine you have a user with multiple policies across various services. What would be the quickest way to revoke access to all services, if for example, they were taking a sabbatical?

Answer 3

You could create an explicit deny policy which would override all their other policies and you could remove that when they come back from their sabbatical.

Question 4

How long does it take for policies to update / take effect?

Answer 4

They are immediate.

Question 5

What are some examples of pre-built policy templates?

Answer 5

Administrator: Full access to ALL services
Power user: Admin access except for user/group management
Read only: only view AWS resources

Question 6

What are the 2 methods of creating new policies?

Answer 6

Using the policy generator or written from scratch.

Question 7

What is the minimum contents of a policy?

Answer 7

Effect, Action, Resource

Question 8

Can a user have more than policy assigned at the same time?

Answer 8

Yes, a user can have multiple policies. If conflicts, the denial policies take precedence.

Question 9

Can policies be attached to resources? eg. EC2 instances

Answer 9

No.