Advanced IAM

Question 1

IAM authorization model

Explicit Deny vs Allow

Answer 1

Decision start at Deny, then it evaluates applicable policies

If Explicit Deny exists, then Final decision is always Deny

However If explicit Deny doesn’t exist and Allow exists, then it is ALLOW

IF NO EXPLICIT DENY OR ALLOW EXISTS THEN IT WILL BE DENY.

Question 2

IAM policy VS S3 Bucket Policy

What is evaluated?
what if they dfifer

Answer 2

IAM: User / Role/ Group
Bucket: Just attached to Buckets

Both define what users can Do

EVALUATION IS COMBINATION OF BOTH
IAM policy plus Bucket policy is the total policy that is evaluated.

• Any Deny will carry over
• Any authorization without explicit Deny will create a Allow for all.

see advanced IAM auth model.

Question 3

DYNAMIC policies

how to assign policies for separate users, how to scale it.

what is the special method to allow it to scale

Answer 3

ex: Users have S3 folder in bucket that needs to have specific access to the following path
/home/

Dont want to create an IAM policy for each user

Solution:
Create DYNAMIC IAM POLICY
POLICY VARIABLE: ${aws:username}

in policy will be replaced by value of username
Action: S3
effect: allow
resource: ARN:S3::company/home/${aws:username}/*

allows the account to be placed in the variable.

Question 4

INLINE vs MANAGED POLICIES

aws manged
customer managed
inline, what does it apply to,

Answer 4

AWS managed policy

• maintained by AWS
• Good for admins and power users
• updated for new services

CUSTOMER MANAGED POLICY:
BEST PRACTICE, reusable, applied to many principals
version controlled, rollback able, central change environment

INLINE**
EACH PRINCIPAL CAN HAVE SPECIFIC POLICIES ATTACHED TO IT INLINE
No version control, no roll-back
Policy is deleted with principal