Home › Forums › AWS › AWS Certified DevOps Engineer Professional › Federated User – policy change
-
-
Hello Haridev,
Even if the IAM policy attached to the role is elevated to S3 full access if the S3 bucket policy is properly configured, restricting who and which methods are only allowed, then the federated role won’t still be able to perform what he wants on that bucket. It is because resource-based policies are evaluated first before Identity-based policies.
Regards,
Carlo @ Tutorials Dojo
-
Hi Carlo,
Of course I understand that,
but how do you come to the conclusion that S3 bucket policy is more restrictive (properly configured)?
Apparently & unfortunately the question bank has lot of questions where you had to assume !
-
Thanks for the reply, Haridev.
The questions that we create are patterned after the current exam format and the feedback of our users. It is designed this way to give you a good impression of the actual AWS exam. AWS likes to fill in details that add ambiguity to the question and this is something we are trying to replicate.
My last reply was kind of speculative because you’ve asked a “what if” scenario in the first place.
On a more important note, the main objective of this question is about providing the fastest way of detecting configuration changes. And using the AWS Config configuration changes does this faster than a scheduled Lambda function.
Let me know what you think.
Regards,
Carlo @ Tutorials Dojo
-
Hi Carlo
However you cannot overlook the fact that there’s technical gap in the chosen answer. And I think question says “policy changes” and not “configuration change”, if you will
- This reply was modified 3 years, 2 months ago by Haridev Ngangbam.
-
-
-
-
Hello Haridev,
In this question, “policy changes” and “configuration changes” can be used interchangeably. “Configuration changes” is how AWS Config calls it to track changes in AWS resources (IAM policy, S3 bucket).
Regards,
Carlo @ Tutorials Dojo
-
How about this part?
how do you come to the conclusion that S3 bucket policy is more restrictive (properly configured)?
-
Hello Haridev,
As I previously stated, I was just responding to a hypothetical question. It’s only natural that you’d receive a speculative response. The scenario did not specify which resources will be tracked. It simply stated “to detect configuration changes,” so there is a gray area there. You can both track changes in IAM roles and S3 bucket’s configuration but since they aren’t given in the provided options you have to carefully evaluate the options and pick the answer that makes the most sense.
- This reply was modified 3 years, 2 months ago by Carlo-TutorialsDojo.
- This reply was modified 3 years, 2 months ago by Carlo-TutorialsDojo.
-
ok, than I would see this as question with missing correct answer
-
-
Log in to reply.