Can someone help me? What does this policy does?
See options given below.
{
“Effect”: “Allow”
“Principal”: {“AWS”: “arn:aws:iam::111122223333:root”),
“Action”: “kms:*”;
“Resource”: “*”
}
A. All principals from all AWS accounts to use the key.
B. Only the root user from account 111122223333 to use the key.
C. All principals from account 111122223333 to use the key but only on Amazon S3.
D. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key
4 Answers
has to select 2 answers
B and D. The original poster said you have to pick 2 options. Although the best answer is D if you have to pick two options then the best answer is B and D. It allows both the root user(B), as well as enables IAM policies to be defined in account 111122223333 for permitting access to other users and roles in that account(D).
Best answer is:
D. Only principals from account 111122223333 that have an IAM policy applied that grants access to this key to use the key
Because the policy is delegating the permission to the IAM, which means the user must have an IAM policy that grants access to the key to use or manage it.
The root user has full access to the key, but it is not the only user that can use the key if there are other users who has permission granted by IAM.
I agree, the best answer is D, all the other answers are incorrect.
Answer B is not correct because:
When you use an AWS account identifier as the principal in a policy, the permissions in the policy statement can be granted to all identities contained in that account. This includes IAM users and roles in that account. When you specify an AWS account, you can use the account ARN (arn:aws:iam::AWS-account-ID:root), or a shortened form that consists of the AWS: prefix followed by the account ID.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
Are you sure this is the entire question?