Write IAM Policies for Real-World Scenarios

A data analyst needs read-only access to a specific S3 bucket containing quarterly financial reports. They need to list the contents of the bucket and download individual objects, but must not be able to upload, modify, or delete anything.

• The bucket name is company-quarterly-reports
• The analyst should be able to list objects in the bucket and download (get) any object
• No write, delete, or administrative actions should be permitted
• Note: ListBucket applies to the bucket ARN, while GetObject applies to the objects inside (bucket ARN with /*)

The security team in account 111111111111 needs to assume a read-only audit role in account 222222222222. Write the trust policy for the role in account 222222222222 that allows only the security team's role to assume it, and only when MFA is present.

• This is a trust policy (attached to the role being assumed), not an identity-based policy
• The security team's role ARN in account 111111111111 is: arn:aws:iam::111111111111:role/SecurityTeamRole
• MFA must be required as a condition — use the aws:MultiFactorAuthPresent condition key
• The Action for trust policies is sts:AssumeRole and the Principal specifies who can assume the role

Write a Service Control Policy (SCP) that prevents anyone in the organization from stopping CloudTrail logging, deleting CloudTrail trails, or modifying event selectors. This SCP will be attached to the root OU to protect audit log integrity across all accounts.

• SCPs use the same JSON syntax as IAM policies but are attached at the Organization/OU level
• This should be a Deny policy — SCPs with deny effect cannot be overridden by any IAM policy
• The actions to deny: cloudtrail:StopLogging, cloudtrail:DeleteTrail, cloudtrail:PutEventSelectors
• Resource should be * since this applies organization-wide to all CloudTrail trails

A Lambda function processes images uploaded to an S3 bucket and writes metadata to a DynamoDB table. Write the identity-based policy for the Lambda execution role that grants exactly the permissions needed — no more.

• The S3 bucket name is image-uploads — the Lambda needs to read (GetObject) images from it
• The DynamoDB table name is image-metadata in us-east-1, account 123456789012 — the Lambda needs to write items (PutItem)
• The Lambda also needs to write logs to CloudWatch Logs (CreateLogGroup, CreateLogStream, PutLogEvents)
• Use specific resource ARNs wherever possible: arn:aws:s3:::image-uploads/* for S3, arn:aws:dynamodb:us-east-1:123456789012:table/image-metadata for DynamoDB, arn:aws:logs:us-east-1:123456789012:* for CloudWatch Logs

A team lead can create IAM roles for their team members. You need to ensure that any role the team lead creates can never have more than S3 and DynamoDB permissions — even if the team lead attaches AdministratorAccess. Write the permission boundary policy that limits the maximum possible permissions.

• Permission boundaries define the maximum permissions an identity-based policy can grant
• This boundary should allow all S3 actions (s3:*) and all DynamoDB actions (dynamodb:*) only
• Even if a role has AdministratorAccess, the permission boundary will restrict effective permissions to the intersection
• Resource should be * for both services since the boundary applies to actions regardless of specific resources