Answer-first summary for fast verification
Answer: Role, Group
## Explanation This is an **identity-based policy** in IAM. Identity-based policies are attached to IAM identities (users, groups, or roles) to define what actions they can perform on which resources. ### Key Points: 1. **Identity-based policies** can be attached to: - **IAM Users** (individual users) - **IAM Groups** (collections of users) - **IAM Roles** (entities that can be assumed by users, applications, or AWS services) 2. The policy shown grants permissions for SSM (Systems Manager) actions: - `ssm:ListDocuments` - List SSM documents - `ssm:GetDocument` - Get SSM document content - Resource: `*` (all resources) 3. **Why A (Role) and B (Group) are correct:** - **Roles (A)** - Identity-based policies can be attached to IAM roles. Roles are used to grant permissions to AWS services, applications, or federated users. - **Groups (B)** - Identity-based policies can be attached to IAM groups. Groups are collections of users that share the same permissions. 4. **Why other options are incorrect:** - **C (Organization)** - AWS Organizations uses **service control policies (SCPs)**, not identity-based policies. SCPs are attached to organizational units (OUs) or accounts, not to individual IAM identities. - **D (Amazon ECS resource)** - Resources like ECS tasks or services don't have identity-based policies attached directly. Instead, they use IAM roles (task execution roles or task roles) that have policies attached. - **E (Amazon EC2 resource)** - EC2 instances don't have identity-based policies attached directly. Instead, they use IAM instance profiles that contain IAM roles with attached policies. ### Important Distinction: - **Identity-based policies** → Attached to IAM identities (Users, Groups, Roles) - **Resource-based policies** → Attached to AWS resources (like S3 buckets, SQS queues) - **Service control policies (SCPs)** → Used in AWS Organizations to set permission boundaries This policy can be attached to IAM roles and groups, making options A and B the correct answers.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A solutions architect wants to use the following JSON text as an identity-based policy to grant specific permissions:
{
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:GetDocument"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
{
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:GetDocument"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
Which IAM principals can the solutions architect attach this policy to? (Choose two.)
A
Role
B
Group