AWS IAM Policy Evaluation Logic | SAP-C01 Exam Answers

AWS IAM Policy Evaluation Logic

Q: Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management?

An explicit allow overrides default deny.By default, all requests are denied.

Prev Question Next Question

Question

Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management?

Answers

A. An explicit deny does not override an explicit allow.

B. By default, all requests are allowed.

C. An explicit allow overrides default deny.

D. An explicit allow overrides an explicit deny.

E. By default, all requests are denied.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer - C and E.

Option A is incorrect because explicit deny always overrides an explicit allow.

Option B is incorrect because all requests are denied by default.

Option C is CORRECT because an explicit allow overrides the default deny.

Option D is incorrect because explicit deny cannot be overridden by an explicit allow.

Option E is CORRECT because all requests are denied by default.

The below diagram shows the evaluation logic of IAM policies.

And as per the evaluation logic, it is clear that the above scenario leads to a default deny.

For more information on the IAM policy evaluation logic, please refer to the link-

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

The policy evaluation logic in AWS Identity and Access Management (IAM) determines whether a request made to AWS resources is allowed or denied based on the permissions granted or denied by policies attached to the principal (user, group, or role) making the request. The following are the correct statements with regards to policy evaluation logic in AWS IAM:

A. An explicit deny does not override an explicit allow: This statement is true. If an explicit allow and an explicit deny conflict with each other, the explicit allow takes precedence over the explicit deny.

B. By default, all requests are allowed: This statement is false. By default, all requests are denied, and access to resources must be explicitly granted through policies attached to the principal making the request.

C. An explicit allow overrides default deny: This statement is also true. If there is no policy attached to the principal making the request, the default deny takes effect. However, if there is an explicit allow policy attached to the principal making the request, it overrides the default deny policy.

D. An explicit allow overrides an explicit deny: This statement is true. If there is an explicit deny and an explicit allow that conflict with each other, the explicit allow takes precedence over the explicit deny.

E. By default, all requests are denied: This statement is true. By default, all requests are denied, and access to resources must be explicitly granted through policies attached to the principal making the request.

In summary, statements A, C, D, and E are correct, while statement B is false.

Prev Question Next Question