Explore the key differences between resource-based policies and identity policies in access management. This quiz helps reinforce understanding of how each policy type governs permissions, their primary use cases, and important terminology for effective permissions control.
Which type of policy is typically attached directly to a resource to specify who can access it?
Explanation: A resource-based policy is attached directly to the resource and outlines who may access it and with what permissions. An identity policy is usually connected to users or groups, not directly to resources. Role policy and network policy are not accurate in this context; the term 'role policy' refers to permissions associated with roles, and 'network policy' generally relates to network controls, not access permissions.
If you want to allow an external user access to a resource without modifying their identity, which policy would you use?
Explanation: Resource-based policies are useful when granting access to users who are outside your organization because the permission is attached to the resource, not the user. Identity policies would require changes to the user's account, which is not always possible for external users. Action policy and audit policy are unrelated to this scenario.
Which statement best describes an identity policy?
Explanation: Identity policies specify what actions individuals or groups can perform on various resources. Resource-based policies, by contrast, are attached to resources and specify who can access them. Managing system logs or controlling network traffic are unrelated, handled by audit and network controls, not identity policies.
A document allows both internal and external users to read it without changing their accounts. What type of policy supports this setup?
Explanation: This scenario is best supported by a resource-based policy because it allows direct permissions on the resource for both internal and external users. Identity policy would require altering individual accounts. Session policy and network-based policy do not deal with user access to specific resources.
Which type of policy is evaluated when a user tries to access a resource and only the user's permissions are checked?
Explanation: Identity policies are checked when access depends solely on permissions granted to the user's identity. Resource-based policies are evaluated when permissions are set directly on the resource. Encryption and group policies address different aspects; encryption policies manage data protection, and group policies are structures for organizing users, not granting direct permissions.
Which policy type is best suited for granting cross-organization or cross-account access to a resource?
Explanation: Resource-based policies are ideal for granting access across accounts or organizations, as they can specify permissions to users outside the primary domain. Identity policies work within a specific account or organization. Session-based and database policies do not typically handle access across accounts.
If you want to grant temporary access to a group of resources for a new team, which approach is commonly used?
Explanation: It's efficient to attach an identity policy to the team members, giving them permission to use the group of resources. Attaching resource-based policies to every resource can be complicated and time-consuming. Network firewalls and audit logging settings are unrelated to user permissions in this context.
When a system checks both the user's identity policy and the resource-based policy before allowing access, what is a possible outcome?
Explanation: For access to be approved, both the identity and resource-based policies must allow the action. Ignoring one or granting access if only one is satisfied would be insecure. The 'either policy alone' option doesn't reflect standard access control practices.
Which aspect do both resource-based and identity policies generally specify?
Explanation: Both types of policies define which actions (such as read or write) are permissible. Encryption algorithms, network routes, and log file retention are managed through other mechanisms, not through access policies.
If a user has an identity policy denying access, but the resource-based policy allows it, what is the effective permission?
Explanation: A denial in any policy results in access being denied, as the safest approach is to default to least privilege. If both allowed, then access would be granted. Prompting for approval or relying on policy defaults does not accurately reflect standard access control behavior.