A large telecom company is using AWS infrastructure for its web application & data storage applications.
As a SysOps Administrator, you have created a separate IAM user group based upon departments in the company.
Earlier users in the DevOps department used to launch EC2 instance & save all data in the EFS store.
Due to the cost-cutting exercise, users are asked to save all data in S3 buckets instead of EFS.
For this,user's in the DevOps team should have permission to launch an EC2 instance with roles to access S3 buckets for savings files.
These users should not be able to grant additional roles from these EC2 instances.
Which of the following Policy statement can be configured to meet the least access privilege?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
iam: PassRole is the permission that controls which users can delegate IAM roles to AWS resources.
It ensures that users do not have additional permission to pass a role than the required minimum permission.
Option A is incorrect as Users should have full permission to launch EC2 instance & iam: PassRole to initiate access to a role to the S3 bucket from EC2 instance.
Option B is incorrect as providing full permission will work but will not meet the least permission to each user.
Option C is incorrect as Users should be able to create roles to access the S3 bucket & not any other roles.
For more information on granting a user permission to pass a role, refer to the following URLs-
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/As a SysOps Administrator, you need to create an IAM policy that allows users in the DevOps department to launch an EC2 instance with roles to access S3 buckets for saving files. However, these users should not be able to grant additional roles from these EC2 instances.
Option A: Create an IAM policy that allows iam:PassRole to users in the DevOps team to launch EC2 instance & create an additional statement allowing full permission to associate only the S3 access role with the instance.
This option grants users in the DevOps team the ability to pass IAM roles to the EC2 instances they launch. This means they can attach any IAM role they want to the instance, which is not in line with the principle of least privilege. Additionally, the additional statement allowing full permission to associate only the S3 access role does not restrict the users from attaching other IAM roles.
Option B: Create an IAM policy that allows full permission to users in the DevOps team to launch the EC2 instance & create an additional statement allowing full permission to associate only the S3 access role with the instance.
This option grants users in the DevOps team full permissions to launch EC2 instances and attach IAM roles, including the S3 access role. However, it doesn't restrict the users from attaching other IAM roles that they are not authorized to use.
Option C: Create an IAM policy that allows full permission to users in the DevOps team to launch EC2 instance & create an additional statement allowing full permission to associate all roles within the instance.
This option grants users in the DevOps team full permissions to launch EC2 instances and attach all IAM roles, which is not in line with the principle of least privilege. It means that the users can attach any IAM role to the instance, including those that they are not authorized to use.
Option D: Create an IAM policy that allows full permission to users in the DevOps team to launch EC2 instance & create an additional statement allowing iam:PassRole to associate only the S3 access role with the instance.
This option grants users in the DevOps team full permission to launch EC2 instances, which is necessary for their job role. The additional statement only allows the users to attach the S3 access role to the instance, which meets the principle of least privilege. The users are not authorized to attach any other IAM roles, which means that they cannot access resources they are not authorized to use.
Therefore, option D is the correct answer as it meets the principle of least privilege by granting the users only the permissions that they require for their job role. It also restricts them from attaching other IAM roles that they are not authorized to use.