An ex-employee working with a start-up firm has applied the following policy to IAM users in the Development team.
A Junior engineer is looking for permission which will be granted with this policy so that the same policy can be replicated to other users in this team. Which statement is true concerning permission granted with this policy? { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ["cloudtrail:*"], "NotResource": [ "arn:aws:cloudtrail:us-west-1:111111222222:trail/TEST-TRAIL"] } ] }
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
IAM users and roles do have permission to create or modify CloudTrail resources.
AWS IAM Identity-based Policy needs to be created which can be attached to a user or roles giving them permissions to create or modify CloudTrail resources.
Above is one of the IAM identity-based policies that denies all actions on CloudTrail resources in an account except for the trail TEST-TRAIL.
Users to whom this policy is attached will only be able to modify this trail.
Option B is incorrect as users will be permitted to perform on Trail with the name as TEST-TRAIL.
Option C is incorrect as all users will be permitted to perform all actions only on Trail with the name as TEST-TRAIL.
Option D is incorrect as 111111222222 is an account id and not a user id.
All users in account id 111111222222 will be able to perform actions on the CloudTrail trail with the name as TEST-TRAIL.
For more information on AWS CloudTrail Identity-Based Policy, refer to the following URL,
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.htmlThe policy that has been applied to the IAM users in the Development team denies them access to all CloudTrail actions except for a specific Trail with the name TEST-TRAIL, which has been created in the us-west-1 region.
Answer A is correct.
The policy statement specifies the "Effect" as "Deny," which means that the listed actions will be explicitly denied to the users. The "Action" element specifies that all CloudTrail actions are denied. However, the "NotResource" element allows access to the specific CloudTrail Trail with the ARN "arn:aws:cloudtrail:us-west-1:111111222222:trail/TEST-TRAIL". This means that the IAM users in the Development team will be denied access to all CloudTrail actions except for those related to the specific Trail named TEST-TRAIL in the us-west-1 region.
Answer B is incorrect as it states that the IAM users will be explicitly denied for any actions on CloudTrail, but the policy grants access to a specific Trail named TEST-TRAIL.
Answer C is incorrect as it states that the IAM users will be permitted to perform all actions on CloudTrail except for the specific Trail named TEST-TRAIL, but the policy explicitly denies access to all CloudTrail actions except for the specific Trail named TEST-TRAIL.
Answer D is incorrect as it mentions a specific user, "111111222222," but the policy applies to all IAM users in the Development team, not just one user.