IAM provides several policy templates you can use to automatically assign permissions to the groups you
create. The _____ policy template gives the Admins group permission to access all account resources, except
your AWS account information
A.
Read Only Access
B.
Power User Access
C.
AWS Cloud Formation Read Only Access
D.
Administrator Access
I would say B.
Because of “except your AWS account information”.
agree with Taka – http://docs.aws.amazon.com/directoryservice/latest/admin-guide/role_power_user.html
It is B
Here is the difference
This is administrator policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “*”,
“Resource”: “*”
}
]
}
Power user policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“NotAction”: “iam:*”,
“Resource”: “*”
}
]
So the answer is Power user, which has a restriction on IAM
I agree with you Manu
B
AWS managed policies are designed to provide permissions for many common use cases. For example, there are AWS managed policies that define typical permissions for administrators (all access), for power users (all access except IAM), and for other various levels of access to AWS services. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
B
Before you folks answer have you tried or done this in the AWS Console?
The Answer is D
Try it. You will see the administrators groups has access to everything EXCEPT your AWS account information. If you try to access it it will give you the following error.
“You are not authorized to perform this operation.
You are currently signed in as an IAM user that does not have permissions to the requested page.”
Please when you offer an alternate answer then what is posted you VERIFY it.
I agree with DudewithaClue
The Answer is D
http://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html
”
Your AWS account profile information
Users cannot access your AWS account profile information.
”
I think too that D is correct, since Administrator group users, are still IAM users.
D is the right answer.
To clarify the confusion: AWS account information is about account’s contact information, payment currency etc. You don’t need your AWS administrator to access that. But you need them to have all other access, including IAM – ability to create users etc.
Power User cannot access IAM, so does not have permissions to manage users/ IAM service
AWS managed policies that define typical permissions for administrators (all access), for power users (all access except IAM), and for other various levels of access to AWS services.
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
Users cannot access your AWS account profile information.
http://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html
D
Answer is D
HAving administrative account information is not same as having access to IAM. By account information it means wether you can see billing and stuff like that.
Has anyone taken this test recently ? Of the 400 odd questions , some are so simple and straight forward and some are over the top complex and just difficult to understand ? Just trying to understand what is the general scope of the questions in the real exam ? Any help is highly appreciated ?
D.
Administrator Access
power user does not have IAM access and administrators does not have account information
i have try both B and D all will no access for the AWS account information
I agree with the answer. D
B
PowerUserAccess
Provides full access to AWS services and resources, but does not allow management of Users and groups.
D. Administrator Access
The answer should be PowerUserAccess
Policy ARN
arn:aws:iam::aws:policy/PowerUserAccess
Description
Provides full access to AWS services and resources, but does not allow management of Users and groups.
D is the correct answer.
Only the AWS account root user has access to view and manage billing information. IAM users cannot access billing data until the
account owner provides the user with permission access to the Billing Console, even though he has the administration access.
Think about the difference of administrating users, groups etc with IAM and see/update account information