Learn about the crucial section in AWS IAM policy statements that determines whether a user’s access is allowed or denied. Discover how the Effect element plays a key role in controlling permissions.
Table of Contents
Question
Which section on the IAM policy statement determines whether the user’s access is being denied or allowed?
A. Effect
B. Action
C. Resource
D. Statement
Answer
A. Effect
Explanation
The Effect section of the IAM policy is either Allow or Deny. This is what determines if the policy statement is granting the user access to the AWS resource of explicitly denying the user access.
In an IAM policy statement, the Effect section determines whether the user’s access is being denied or allowed for the specified Action and Resource.
The Effect element can have one of two values: “Allow” or “Deny”. When set to “Allow”, the policy statement grants the permissions defined by the Action and Resource elements. When set to “Deny”, the statement explicitly denies access, overriding any other policy that might allow access.
The other sections play different roles:
- Action specifies the API actions (like s3:GetObject) that the policy allows or denies.
- Resource defines the AWS resources (like an S3 bucket) that the actions apply to.
- Statement is the outer container that holds one or more policy statements, each with its own Effect, Action, and Resource.
So in summary, while Action and Resource define what is being allowed or denied access to, it is the Effect section that actually determines whether that access is permitted or blocked. Setting Effect to “Deny” ensures the user cannot access the resource, even if other policies would allow it.
Getting Started with Security EDSECUv1EN-US assessment question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Getting Started with Security EDSECUv1EN-US assessment and earn Getting Started with Security EDSECUv1EN-US badge.