AWS Certified Solutions Architect - Associate

Explanation

This is an identity-based policy in IAM. Identity-based policies are attached to IAM identities (users, groups, or roles) to define what actions they can perform on which resources.

Key Points:

1. Identity-based policies can be attached to:

   • IAM Users (individual users)
   • IAM Groups (collections of users)
   • IAM Roles (entities that can be assumed by users, applications, or AWS services)

2. The policy shown grants permissions for SSM (Systems Manager) actions:

   • ssm:ListDocuments - List SSM documents
   • ssm:GetDocument - Get SSM document content
   • Resource: * (all resources)

3. Why A (Role) and B (Group) are correct:

   • Roles (A) - Identity-based policies can be attached to IAM roles. Roles are used to grant permissions to AWS services, applications, or federated users.
   • Groups (B) - Identity-based policies can be attached to IAM groups. Groups are collections of users that share the same permissions.

4. Why other options are incorrect:

   • C (Organization) - AWS Organizations uses service control policies (SCPs), not identity-based policies. SCPs are attached to organizational units (OUs) or accounts, not to individual IAM identities.
   • D (Amazon ECS resource) - Resources like ECS tasks or services don't have identity-based policies attached directly. Instead, they use IAM roles (task execution roles or task roles) that have policies attached.
   • E (Amazon EC2 resource) - EC2 instances don't have identity-based policies attached directly. Instead, they use IAM instance profiles that contain IAM roles with attached policies.

Important Distinction:

• Identity-based policies → Attached to IAM identities (Users, Groups, Roles)
• Resource-based policies → Attached to AWS resources (like S3 buckets, SQS queues)
• Service control policies (SCPs) → Used in AWS Organizations to set permission boundaries

This policy can be attached to IAM roles and groups, making options A and B the correct answers.