Learn about the prerequisites for users to assume roles in AWS IAM. Get insights into IAM policies and trust policies to ensure secure role assumption in your AWS environment.
Table of Contents
Question
Which statement is true in regards to what is required for a user to assume a role?
A. All IAM users can assume roles in an AWS account, unless a deny policy species that they cannot.
B. All IAM users can assume roles in an AWS account.
C. The user needs to be defined as the principal that you trust to assume the role in the user’s IAM policy.
D. The user needs to be defined as the principal that you trust to assume the role in the trust policy.
Answer
D. The user needs to be defined as the principal that you trust to assume the role in the trust policy.
Explanation
When you set up a role, the users that will use it need to be defined as the principals in the trust policy.
IAM policies give a role its permissions. But the IAM policy does not define who can use it. That is determined in the trust policy.
In AWS Identity and Access Management (IAM), when a user needs to assume a role, certain conditions must be met. One of the critical requirements is specifying the user as the trusted principal in the trust policy attached to the role.
This trust policy defines which entities (users, roles, accounts, etc.) are allowed to assume the role. By explicitly stating the trusted principal in the trust policy, you ensure that only authorized entities can assume the role, enhancing the security of your AWS environment.
This practice follows the principle of least privilege, where access is only granted to entities that require it, reducing the risk of unauthorized access and potential security breaches.
Getting Started with Security EDSECUv1EN-US assessment question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Getting Started with Security EDSECUv1EN-US assessment and earn Getting Started with Security EDSECUv1EN-US badge.