Thank you A Cloud Guru and Udemy. As others said, reading white papers a must. It was tough and as others said, a lot of encryption (KMS, CloudTrail/Logging and lots of policies). Policies were tough.
If a resource gives a user access do you need access on the user policy too? I assumed not but didn’t feel right.
As someone just posted, there are marketplace products which don’t require pentesting approval.
A few KMS questions had me scratching my head a while. Really glad we had 3 hours. Only had 20 min to spare. The KMS best practices is worth a read or two.
Best advice – reach each question carefully as well as the answers. Some are tricky but fair (if that makes sense).
Clarification on resource/user policy. One rule for evaluating permission is if there is explicit allow for an action and no deny then the action is allowed. In your case I think resource policy will be attached through a role and hence if the role has action allowed and user assumes the role by any means then the user can perform the action.