Explore the fundamentals of IAM policy evaluation logic and understand how access decisions are made based on permissions, explicit denies, policy inheritance, and condition evaluation. This quiz is designed to help reinforce your knowledge of crucial concepts related to Identity and Access Management policy behavior.
In IAM policy evaluation, what happens if an explicit deny is found for a requested action, even if another policy allows it?
Explanation: An explicit deny always overrides allow permissions in IAM policy evaluation, resulting in access being denied. Allow statements only grant permission if no deny is in place. The action is not just skipped but proactively denied. Merging policies does not override the precedence of explicit deny.
If a user has no policies explicitly allowing or denying an action, what is the default outcome when they try to perform that action?
Explanation: The default stance in IAM policy evaluation is to deny actions unless explicitly allowed. There is no automatic warning or approval process by default. Requests are not allowed without permission, and queuing does not occur unless specifically programmed.
If a user has two policies attached: one allowing access to a resource and one denying the same access, which result is enforced?
Explanation: The deny policy overrides the allow policy, ensuring no access is granted in cases of conflict. Access being logged is not the primary evaluation result. Evaluation order is not considered; deny always takes precedence.
Suppose a group policy allows a certain action, but the user's individual policy does not mention the action. What is the cumulative effect?
Explanation: IAM evaluates all applicable policies, and an allow from any attached policy grants permission, unless another policy denies it. The absence of an explicit statement in the user's policy doesn't override the group allow. 'No effect is applied' is incorrect because combined policies are considered.
What does using a wildcard character (*) in an IAM policy action or resource mean?
Explanation: The wildcard character expands coverage to all possible actions or resources, simplifying policy management. It does not inherently deny actions or disable evaluation. Affecting only a single resource is the opposite of its meaning.
If a policy contains an allow statement with a condition that is not met, what is the outcome for the action?
Explanation: When the conditions for allowing an action are unmet, IAM treats it as if no allow was specified, resulting in denial. Ignoring the policy or putting the action on hold does not occur. Always allowing the request ignores the purpose of conditions.
What is the difference between implicit and explicit deny in IAM policy evaluation?
Explanation: Implicit deny results from a lack of allow, while explicit deny is an actual deny statement in policy. Explicit deny overrides allows, not the other way around. Neither apply exclusively to inherited policies, and implicit deny never permits access.
Does the order in which IAM policies are attached to a user or group affect the outcome of policy evaluation?
Explanation: IAM evaluation considers all policies collectively, regardless of attachment order, to determine the ultimate access decision. The first or last policies do not gain priority. Random evaluation is not performed; the system processes all policies consistently.
How are resource-based policies and identity-based policies evaluated in combination for access decisions?
Explanation: Both types of policies are evaluated, and an explicit deny from any source leads to a denial. Resource-based policies are not exclusively considered, nor do identity-based override them. Allowance requires that no explicit deny is present in either.
What is the effect of a syntax error in an IAM policy attached to a user or group?
Explanation: Syntax errors cause the policy to be ignored, so it has no effect on access decisions. Access is not always denied solely due to one faulty policy, and evaluation does not stop for all attached policies. Granting unintended permissions is not a result of policy errors.