Restricting Permissions for IAM Role: AppAdminAccess | AWS Certified Developer - Associate Exam | Amazon

Restricting Permissions for IAM Role: AppAdminAccess

Prev Question Next Question

Question

Certain users from your team need to assume an IAM role called AppAdminAccess for some configuration tasks.

When they use the role, they know the specific actions that are required.

You want to restrict the permissions when the role is assumed so that only specific actions can be performed in the role session.

How would you achieve this requirement?

Answers

A. Pass a session policy with AssumeRole API to limit the permissions.

B. Attach an IAM policy to the IAM users to limit their permissions.

C. Configure a permission boundary to the IAM users to control their maximum permissions.

D. This cannot be done using AssumeRole API. Create a new IAM role with the required permissions.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

Option A is CORRECT: Because the AssumeRole API can add a session policy parameter to limit the total permissions granted by the assumed IAM role.

Option B is incorrect: Because the IAM policy of the IAM users cannot limit the permissions when an IAM role is assumed.

Option C is incorrect: Because the permission boundary does not influence the permissions when IAM users assume an IAM role.

Option D is incorrect: Because there is no need to create a new IAM role since users can pass the session policy in the AssumeRole API.

Reference:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session

The correct answer is A - Pass a session policy with AssumeRole API to limit the permissions.

Explanation:

When an IAM user or an AWS service assumes an IAM role, the permissions of the role are temporarily granted to that user or service. To restrict the permissions when the role is assumed so that only specific actions can be performed in the role session, we can use a session policy.

A session policy is an optional IAM policy that can be passed when using the AssumeRole API to limit the permissions that are granted in the role session. This policy is evaluated in addition to the permissions granted by the IAM role itself.

To implement this solution, we need to follow these steps:

Create an IAM role called AppAdminAccess that grants the permissions required for the configuration tasks.
Create a session policy that limits the permissions to only the specific actions required by the users.
When the users need to perform the configuration tasks, they can use the AssumeRole API to assume the AppAdminAccess role and pass the session policy.

Here's an example of how the session policy could look like in JSON format:

json
{     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": [                 "s3:GetObject",                 "s3:PutObject",                 "s3:ListBucket"             ],             "Resource": [                 "arn:aws:s3:::example-bucket/*",                 "arn:aws:s3:::example-bucket"             ]         }     ] }

This policy allows the user to perform only the specified actions (GetObject, PutObject, and ListBucket) on the example-bucket S3 bucket.

Option B (Attach an IAM policy to the IAM users to limit their permissions) and option C (Configure a permission boundary to the IAM users to control their maximum permissions) are not suitable solutions for this scenario because they do not restrict the permissions granted by the AppAdminAccess IAM role itself.

Option D (Create a new IAM role with the required permissions) is not the best solution because it involves creating a new role every time there is a need to limit the permissions for a specific set of actions. It is better to use the session policy with the AssumeRole API to achieve the same result without creating unnecessary roles.

Prev Question Next Question