Differentiate identity-based vs resource-based policies, use condition operators, apply SCPs for organisation guardrails, and understand permission boundaries.
0 / 5 completed
1 / 5
What is the difference between identity-based and resource-based IAM policies?
Identity vs resource-based: for cross-account access, a resource-based policy on an S3 bucket can grant access directly to a principal in another account. Identity-based policies on the other account's role must also allow the action — both must permit for cross-account access to succeed. Within the same account, either alone is sufficient.
2 / 5
What are IAM condition operators and how are they used in policy statements?
Condition operators:"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } requires MFA. "StringEquals": { "aws:RequestedRegion": "eu-west-1" } restricts actions to a specific region. "ArnLike": { "aws:SourceArn": "arn:aws:s3:::my-bucket" } allows S3 to invoke Lambda only from a specific bucket — preventing confused deputy attacks.
3 / 5
What are Service Control Policies (SCPs) in AWS Organizations?
SCPs:Deny ec2:TerminateInstances in an SCP attached to a production OU prevents any principal in production accounts from terminating EC2 instances, regardless of their IAM permissions. SCPs do not grant permissions — they constrain what identity-based policies can allow. The management account is exempt from SCPs.
4 / 5
What is an IAM permission boundary and how does it interact with identity-based policies?
Permission boundaries: a developer is allowed to create IAM roles, but only within the constraints of their permission boundary. Even if they create a role with *:* permissions, the boundary limits it to (e.g.) only S3 and DynamoDB actions. This enables developer self-service IAM management without risk of privilege escalation.
5 / 5
What is the IAM policy evaluation logic when multiple policies apply to a request?
Policy evaluation: the order is: explicit Deny → SCP allow boundary → resource-based policy → identity-based policy → permission boundary → session policy. A Deny anywhere in this chain results in denial. Within the same account, an explicit Allow in either the identity-based or resource-based policy is sufficient (if no Deny exists and SCPs permit it).