AWS Certified Solutions Architect - Associate (SAA-C02)
  1. Rooms
  2. AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

Why lab exercise applying Policy directly on a user that is not a best practice as per the IAM lessons?

IAM (chapter 4) just showed best practice of not apply a Policy directly to a ‘User’ then why this lab exercise doing the same?

1 Answers

It is to demonstrate the benefits of Roles and how creating and assuming roles can grant temporary access to resources, even if the identity has a policy attached to it that would typically prevent access.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Does that make sense?

J Norment

It’s actually a very efficient way to demonstrate. You get to see how a policy applied to the group, when removed from the group affects all users in the group, and then, when you’re done setting up the permissions as described, you can see how a user, with permissions applied directly behaves, how a user with no permissions applied behaves, and how a user that is configured so that they need to assume the role before having the permissions behaves.

J Norment

Also, knowing how to set up role switching (via the console) can be pretty useful for debugging why permissions aren’t working when things get a little more complex.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization