Question #731
A developer needs to create and delete tags for repositories in AWS CodeCommit. The current IAM policy for the user is:json<br>{<br> "Version": "2012-10-17",<br> "Statement": [<br> {<br> "Effect": "Allow",<br> "Action": [<br> "codecommit:GetRepository",<br> "codecommit:ListRepositories",<br> "codecommit:GitPull"<br> ],<br> "Resource": "*"<br> }<br> ]<br>}<br>
Which specific IAM permissions must be added, following the principle of least privilege?
\"codecommit:TagResource\", \"codecommit:UntagResource\"
\"codecommit:Put*\"
\"codecommit:UpdateRepository\"
\"codecommit:*\"
Explanation
Answer A is correct because:
- codecommit:TagResource and codecommit:UntagResource are the precise actions required to create and delete tags for AWS CodeCommit repositories.
- The principle of least privilege mandates granting only the minimum permissions necessary. Options B, C, and D violate this principle:
- B (codecommit:Put) grants overly broad permissions (e.g., PutRepository, PutFile) beyond tagging.
- C (codecommit:UpdateRepository) allows modifying repository settings, unrelated to tagging.
- D (codecommit:) provides full access to all CodeCommit actions, which is excessive.
Key Points:
- AWS CodeCommit uses separate actions for tagging (TagResource/UntagResource).
- Least privilege requires avoiding wildcards (*) or overly broad actions unless explicitly needed.
Answer
The correct answer is: A