AuthZ AuthN Flashcards
What is required of all AWS IAM or Resource policies?
- Effect can be Allow or Deny
- Action is required - service identifier: action is the form of an action
- Resource is required - must be ARN
IAM Policies
IAM policies are attached to the users, enabling centralized control of permissions for users under your AWS Account to access aws resources. With IAM policies, you can only grant users within your own AWS account permission to access your Amazon resources.
IAM policies don’t have principals
IAM Permission Boundary
A permissions boundary is for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
IAM permission boundary can only be applied to roles or users, not IAM groups.
Identity Policy vs Resource Policies
Identity policies don’t have a principal (group or user) that will access the resource because they are attached to users/groiups
SCP, what must be enabled to use?
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.
SCP Limitation
SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.
AWS Single Sign-On (AWS SSO)
you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. You can choose to manage access just to your AWS accounts or cloud applications
unified administration experience to define, customize, and assign fine-grained access
AWS SSO Features
create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider
user portal to access assigned AWS accounts or cloud applications for users
Integrated with AWS Organizations
Manage SSO access for multiple AWS accounts
Audit SSO activity
MFA
SAML integration
Enable SSO access to your Amazon EC2 Windows instances
ABAC
AWS Directory Service
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD)
managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources
directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail
data replication and automated daily snapshots are configured
service-linked role
a unique type of IAM role that is linked directly to an AWS service
predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf
not affected by SCP
