In this scenario, what is the best practice when creating IAM policies?

A company recently adopted a hybrid architecture that integrates its on-premises data center to AWS cloud. You are assigned to configure the VPC and implement the required IAM users, IAM roles, IAM groups, and IAM policies.

In this scenario, what is the best practice when creating IAM policies?
A . Grant all permissions to any EC2 user.
B . Determine what users need to do and then craft policies for them that let the users perform those tasks including additional administrative operations.
C . Use the principle of least privilege which means granting only the least number of people with full root access.
D . Use the principle of least privilege which means granting only the permissions required to perform a
task.

View Answer

Answer: D

Explanation:

One of the best practices in AWS IAM is to grant least privilege.

When you create IAM policies, follow the standard security advice of granting least privilege―that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks.

Therefore, using the principle of least privilege which means granting only the permissions required to perform a task is the correct answer.

Start with a minimum set of permissions and grant additional permissions as necessary. Defining the right set of permissions requires some understanding of the user’s objectives. Determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.

Granting all permissions to any EC2 user is incorrect since you don’t want your users to gain access to everything and perform unnecessary actions. Doing so is not a good security practice.

Using the principle of least privilege which means granting only the least number of people with full root

access is incorrect because this is not the correct definition of what the principle of least privilege is.

Determining what users need to do and then craft policies for them that let the users perform those tasks

including additional administrative operations is incorrect since there are some users who you should not

give administrative access to. You should follow the principle of least privilege when providing

permissions and accesses to your resources.

Explanation:

Reference:

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions

Check out this AWS IAM Cheat Sheet:

https://tutorialsdojo.com/aws-identity-and-access-management-iam/ Service Control Policies (SCP) vs IAM Policies: https://tutorialsdojo.com/service-control-policies-scp-vs-iam-policies/ Comparison of AWS Services Cheat Sheets: https://tutorialsdojo.com/comparison-of-aws-services/