FluentsDevExam Prep
/IAM, STS & Security for Developers
Concept Detail

IAM, STS & Security for Developers

Difficulty: hard

Overview

IAM for Developers:

  • Resource-based policies: Attached to resources (S3, SQS, Lambda). Allow cross-account access without role assumption.
  • Permission Boundaries: Max permissions ceiling for a user/role.
  • Session Policies: Further restrict (not expand) what a role can do per AssumeRole call.

STS (Security Token Service):

  • AssumeRole: Assume an IAM role → temporary credentials (15 min – 12 hours).
  • AssumeRoleWithWebIdentity: For OIDC providers (Google, Facebook, Cognito Identity Pool).
  • AssumeRoleWithSAML: Enterprise federation.
  • GetSessionToken: MFA-protected API calls.

SDK Credential Chain (order):

  1. Code 2. Environment variables 3. ~/.aws/credentials 4. Container credentials (ECS) 5. EC2 Instance Profile / Lambda execution role

Cross-Account Pattern:

  1. Create role in Account B trusting Account A.
  2. Account A calls sts:AssumeRole → temp credentials.
  3. Use credentials to access Account B resources.

Resource Policy vs Role Assumption:

  • Resource policy: Retain original permissions + access the resource.
  • Role assumption: Give up current permissions, assume role permissions.

ExternalId (sts:ExternalId): Prevents confused deputy attack. Set on role trust policy. Required when third parties assume your role.

Practice Linked Questions

easy

Q1. A Lambda function needs to read from an S3 bucket. The developer attaches an IAM user's access keys to the function. A security reviewer flags this as incorrect. What is the recommended approach?

Select one answer before revealing.

medium

Q2. A developer wants to grant an external AWS account temporary access to upload objects to an S3 bucket. The access should expire after 2 hours. Which approach should be used?

Select one answer before revealing.

medium

Q3. A Lambda function uses STS AssumeRole to assume a role in another account. The function fails with "AccessDenied: User is not authorized to perform sts:AssumeRole." What must be configured?

Select one answer before revealing.

hard

Q4. A developer is implementing attribute-based access control (ABAC) in AWS. They want to allow engineers to start/stop only EC2 instances tagged with the same "team" tag as the engineer's IAM user. Which IAM feature enables this?

Select one answer before revealing.

hard

Q5. A developer needs to generate temporary credentials for a web application that authenticates users via Facebook. Users should get AWS credentials scoped to their own data. Which AWS service and API should be used?

Select one answer before revealing.