What does this policy statement entitle the user to perform?

An organization (Account ID 123412341234) has attached the below mentioned IAM policy to a user.

What does this policy statement entitle the user to perform?

{

"Version": "2012-10-17",

"Statement": [{

"Sid": "AllowUsersAllActionsForCredentials",

"Effect": "Allow",

"Action": [

"iam:*LoginProfile",

"iam:*AccessKey*",

"iam:*SigningCertificate*"

],

"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]

}]

}
A . The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK, CLI or APIs
B . The policy will give an invalid resource error
C . The policy allows the IAM user to modify all credentials using only the console
D . The policy allows the user to modify all IAM user’s password, sign in certificates and access keys using only CLI, SDK or APIs

View Answer

Answer: D

Explanation:

WS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234) wants some of their users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user’s using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for the IAM users.

{

"Version": "2012-10-17",

"Statement": [{

"Sid": "AllowUsersAllActionsForCredentials",

"Effect": "Allow",

"Action": [

"iam:*LoginProfile",

"iam:*AccessKey*",

"iam:*SigningCertificate*"

],

"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]

}]

}