Assess your understanding of permission boundaries and identity and access management (IAM) policies with these foundational questions. This quiz covers the concepts, purposes, and interactions of policies and boundaries in access control settings.
What is the main purpose of setting a permission boundary for an identity in an access management system?
Explanation: Setting a permission boundary limits the maximum permissions an identity can have, acting as a guardrail. Storage space, credential backups, and network latency are unrelated to permission boundaries. Only the first option describes the correct function.
If a user has an IAM policy allowing full access to a resource, but their permission boundary only allows read access, what level of effective access do they receive?
Explanation: Effective permissions are determined by the intersection of the allowed policy and the permission boundary; the most restrictive applies. Full access isn’t possible if the boundary limits it to read. No access is incorrect unless both deny access, and write without read is not logically possible.
What happens if an identity has no permission boundary set in an access management environment?
Explanation: Without a boundary, only the assigned policies control permissions. The other options are incorrect; default behavior does not restrict to read-only, block all access, or set temporary durations.
Which statement best describes how a permission boundary and an IAM policy work together?
Explanation: Both the policy and the boundary must allow an action; otherwise, access is denied. The most permissive option does not take precedence. Boundaries do not override everything but act as a ceiling based on the policy. New policies cannot ignore boundaries.
Which of the following is considered a type of IAM policy commonly used in access management?
Explanation: Identity-based policies are widely used for granting permissions directly to users or groups. Network-based and timetable policies are not standard IAM concepts, and capacity policy refers to a different context.
You want to prevent a user from deleting resources while allowing other actions. What should you add to their IAM policy?
Explanation: To restrict delete access specifically, explicitly deny Delete actions in the policy. Adding a boundary granting more access would not solve the problem. Adjusting storage quotas does not control permissions, and removing all policies would remove all access, not just deletion rights.
What is the effect of using a wildcard symbol (*) in an action clause within an IAM policy?
Explanation: The wildcard symbol matches all possible actions, granting broad permission. It does not deny actions or restrict to those starting with a certain letter. Setting expiry is not the purpose of a wildcard in this context.
Who is typically allowed to attach a permission boundary to an identity in an access management setting?
Explanation: Only users with administrative privileges or explicit permission can attach permission boundaries. General users, the identities themselves, and external vendors do not have this ability by default, as it would compromise security.
Applying both a restrictive policy and a stringent permission boundary helps organizations enforce which security principle?
Explanation: Combining restrictive policies and boundaries limits permissions to only what is necessary—known as least privilege. The other choices suggest less secure or incorrect practices.
If an identity’s permission boundary is removed but its policies remain unchanged, how does the identity's effective permission change?
Explanation: With no permission boundary, the user’s access is controlled solely by their assigned policies. Removing a boundary does not cause a loss of all access or force a default, and no new automatic boundary is created.