🃏 IAM & Access Control Flashcards

Q: What is the IAM policy evaluation order?

A: Explicit deny → SCP check → resource policy → permission boundary → session policy → identity-based policy. Deny at any stage = DENY.

Q: How does cross-account S3 access work with roles?

A: Source account assumes role in target account. Role has S3 permissions. Objects created by the role are owned by the target account (role's account).

Q: What is the difference between identity-based and resource-based policies?

A: Identity-based: attached to user/role/group, specifies what actions they can do. Resource-based: attached to resource (S3, KMS), specifies who can access it.

Q: What are IAM policy conditions?

A: Additional constraints in policies: aws:SourceIp, aws:PrincipalOrgID, aws:RequestedRegion, kms:ViaService, s3:x-amz-acl, etc. All conditions must be true (AND).

Q: What is aws:PrincipalOrgID condition?

A: Restricts access to principals belonging to a specific AWS Organization. Simpler than listing all account IDs. Useful in resource policies for org-wide access.

Q: What is STS session policy?

A: An inline policy passed when assuming a role or federating. Scopes down the session permissions to the intersection of role policy and session policy.

Q: What does IAM Access Analyzer policy generation do?

A: Analyzes CloudTrail events over a period and generates an IAM policy granting only the permissions actually used. Helps achieve least privilege.

Q: What is a service-linked role?

A: Pre-defined IAM role created and managed by an AWS service. Cannot modify permissions. Example: AWSServiceRoleForElasticLoadBalancing.

Q: What is the NotAction element in IAM policies?

A: Matches all actions EXCEPT those listed. Combined with Allow, it permits everything except specified actions. Not a deny — just excludes from the allow.

Q: How do you prevent credential escalation in CI/CD?

A: Use permission boundaries on roles that CI/CD creates. The boundary caps maximum permissions even if the identity policy is overly broad.