IAM Advanced: Roles, SCPs & Permission Boundaries
Difficulty: hard
Overview
AWS IAM is the foundation of AWS security. The SCS-C02 exam requires deep understanding of how multiple policy types interact.
Policy Evaluation Logic (same account):
- Explicit Deny → always wins
- SCP Allow (if Organizations) → must be present
- Resource-based policy Allow OR Identity-based policy Allow → grants access
- No Allow found → implicit deny
Service Control Policies (SCPs):
- Apply to all principals (users, roles, including root) in member accounts — NOT to the management account
- Only RESTRICT; they never GRANT permissions
- Must work together with IAM policies: both must allow an action
- Inheritance: OU SCPs stack — a child OU inherits parent denies
| SCP | IAM Policy | Result |
|---|---|---|
| Allow | Allow | ✅ Allowed |
| Allow | Deny (explicit) | ❌ Denied |
| Deny | Allow | ❌ Denied |
| No match | Allow | ❌ Denied |
Permission Boundaries:
- An identity-based policy that sets the MAXIMUM permissions for an IAM entity
- Does not grant permissions — acts as a ceiling
- Effective permission = intersection of (identity policy) ∩ (permission boundary)
- Common use: allow developers to create roles without escalating their own privileges
IAM Access Analyzer:
- Identifies resources accessible from outside the account/organization (external access)
- Also validates policies for syntax errors and warns about overly permissive statements
- Creates findings for: S3 buckets, KMS keys, SQS queues, IAM roles, Lambda, Secrets Manager
Confused Deputy Prevention (ExternalId):
- Problem: A third party's role could be tricked into acting on behalf of another customer
- Solution: Require
sts:ExternalIdin the trust policy condition — a secret shared only with the legitimate customer
Revoking Active Sessions:
- Attach an inline policy to the role denying all actions where
aws:TokenIssueTimeis before the current time - AWS provides the
AWSRevokeOlderSessionsmanaged policy for this purpose
ABAC (Attribute-Based Access Control):
- Use IAM condition keys like
aws:ResourceTag/Environmentto grant access based on resource tags - Scales better than RBAC for large teams — tag-based rather than role-based
Practice Linked Questions
Q1. What does an IAM Permission Boundary define for an IAM entity?
Select one answer before revealing.
Q2. An AWS Service Control Policy (SCP) attached to an OU explicitly denies ec2:TerminateInstances. A member account Administrator (with AdministratorAccess policy) tries to terminate an EC2 instance. What is the result?
Select one answer before revealing.
Q3. An IAM user's identity policy has an explicit Deny for s3:GetObject on all resources. An S3 bucket in the SAME account has a resource-based policy that explicitly allows s3:GetObject for that IAM user. What is the effective access?
Select one answer before revealing.
Q4. A third-party SaaS application requires you to create an IAM role and share the role ARN so they can access your S3 data. What should you include in the role's trust policy to prevent the confused deputy attack?
Select one answer before revealing.
Q5. Which statements about AWS Service Control Policies (SCPs) are CORRECT? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q6. IAM Access Analyzer is used to identify which category of security issues?
Select one answer before revealing.
Q7. A company wants to implement Attribute-Based Access Control (ABAC) so that developers can only start/stop EC2 instances tagged with Project=TeamBlue. Which IAM policy condition achieves this?
Select one answer before revealing.
Q8. A Lambda function in Account A assumes an IAM role in Account B. The resulting credentials are used to assume a role in Account C. What is the maximum session duration for the final credentials obtained from Account C?
Select one answer before revealing.
Q9. GuardDuty raises a finding of type UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration. What does this finding indicate and what is the MOST effective immediate response?
Select one answer before revealing.
Q10. A company wants to automatically DETECT and REMEDIATE existing IAM users who have the AdministratorAccess policy attached, without manual intervention. Which approach is BEST?
Select one answer before revealing.
Q11. What is the purpose of an IAM role's trust policy?
Select one answer before revealing.
Q12. A developer needs to immediately revoke ALL active sessions for an IAM role after a security incident. Active sessions can have up to 12 hours of remaining validity. What is the correct approach?
Select one answer before revealing.
Q13. A security team needs to identify all IAM roles across 20 AWS accounts that have trust relationships allowing external AWS accounts to assume them. Which service provides this with the LEAST operational overhead?
Select one answer before revealing.