Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

2018-IAM (AWS) > Policies & Permissions > Flashcards

Policies & Permissions Flashcards

1
Q

What are Policies?

A

Polices basically = permissions & can be Identity-Based Policies and
Resource-Based Policies

  • In Other Words*
  • Policies** (Essentially Permissions*) - (Policies => Policy Documents => JSON files => permissions
  • Policies** (permissions*) can be attached to users or groups
  • *Policy** documents sit on top of Users/Groups/Roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Policy language

A

​Policy language

  1. provide authorisation (not authentication)
  2. two parts:
    1. Specification ‘defining’ access policies
    2. Enforcement ‘evaluating’ access policies

Policy Specification basics:
Four part = PARC

  • json document
  • Contains a statement ‘permission’ that specifies what Action a principal can perform & which Resources can be accessed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policies Key Points - Contd.

A
  • Policies/Policy Language (PARC = Principals, Action , Resource & Condition) ;
  • Policy actions are classified as List, Read, Write, Permissions management, or Tagging.
  • Policy Documents >> Effect = Single Word = ALLOW/DENY ; Service Which AWS cloud service ; Resource specifies specific ARN , ARN format varies slightly dependant on service (e.g: arn:aws:service:region:account-id:resource type
  • AWS offer a policy generator tool self written policies can be tested by policy simulator
  • API calls - API calls require access keys (API keys) ; API keys are also managed at the account level ;
  • AWS only applies policies once authenticated an explicit deny always override an explicit allow never pass API keys to EC2 instances never store API keys on the Instance best practice is to delete root access key of the first root account
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Policy Enforcement basics:

A
  • Policy Enforcement - AWS decision Starts by deny collect or policies compare them and DENY will always win
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Types of IAM Policies & Other Policies that follow the PARC policy language

A
  • AWS Organisations (OU) - Service control policies or SCP
  • AWS IAM - Identity-based policies can be Managed or Inline (stay with user)
  • AWS STS - scope down policies ; during assume role call assume least privileged role (Typically AWS find that customers generally WRITE general ROLES and then use STS to SCOPE them down more)
  • AWS Specific Services - Resource-based policies are inline only, not managed. Usually only on Queries Vaults E.g Amazon S3 bucket policy ; cross account access controlled access from the Resource or via roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Resource-based policies (Inline Only)

A
  • Resource-based policies differ from resource-level permissions. You can attach resource-based policies directly to a resource, as described in this topic. Resource-level permissions refer to the ability to use ARNs to specify individual resources in a policy. Resource-based policies are supported only by some AWS services. For a list of which services support resource-based policies and resource-level permissions
    • The following services support resource-based policies for the specified resources: Amazon Simple Storage Service (S3) buckets, Amazon Glacier vaults, Amazon Simple Notification Service (SNS) topics, and Amazon Simple Queue Service (SQS) queues
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identity-based policies - Managed Policies or Inline Policies ?

A

Choosing Between Managed Policies and Inline Policies

  • The different types of policies are for different use cases. In most cases, we recommend that you use managed policies instead of inline policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Managed policies features?

A

Provide the following features:

  • Reusability
  • Central change management
  • Versioning and rolling back
  • Delegating permissions management
  • Automatic updates for AWS managed policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Managed policies: Reusability

A
  • A single managed policy can be attached to multiple principal entities (users, groups, and roles). In effect, you can create a library of policies that define permissions that are useful for your AWS account, and then attach these policies to principal entities as needed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Managed policies: Central change management

A

When you change a managed policy, the change is applied to all principal entities that the policy is attached to.
E.g: if you want to add permission for a new AWS API, you can update the managed policy to add the permission.

(If you’re using an AWS managed policy, AWS updates to the policy.)

When the policy is updated, the changes are applied to all principal entities that the policy is attached to. In contrast, to change an inline policy you must individually edit each principal entity that contains the policy. For example, if a group and a role both contain the same inline policy, you must individually edit both principal entities in order to change that policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Managed policies: Versioning and rolling back

A

When you change a customer managed policy, the changed policy doesn’t overwrite the existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer managed policies. You can use policy versions to revert a policy to an earlier version if you need to.

A policy version is different from a Version policy element. The Version policy element is used within a policy and defines the version of the policy language. To learn more about policy versions, see Versioning IAM Policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Managed policies: Delegating permissions management

A
  • You can allow users in your AWS account to attach and detach policies while maintaining control over the permissions defined in those policies. In effect, you can designate some users as full administrators—that is, administrators that can create, update, and delete policies. You can then designate other users as limited administrators. That is, administrators that can attach policies to other principal entities, but only the policies that you have allowed them to attach.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Managed policies: Automatic updates for AWS managed policies

A

AWS maintains AWS managed policies and updates them when necessary (for example, to add permissions for new AWS services), without you having to make changes. The updates are automatically applied to the principal entities that you have attached the AWS managed policy to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Inline Policies

A
  • An inline policy is a policy that’s embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.

Using Inline Policies

  • Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the principal entity that it’s applied to. For example, you want to be sure that the permissions in a policy are not inadvertently assigned to a principal entity other than the one they’re intended for.
  • When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong principal entity. In addition, when you use the AWS Management Console to delete that principal entity, the policies embedded in the principal entity are deleted as well. That’s because they are part of the principal entity.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Policy Permissions Enforcements Overview
For the Same Account

A

Provided there is an ALLOW from the Top OU
Then the ‘permissions’ are enforced by :

UNION OF >> Service control SCP + Managed & Inline Polies
+
INTERSECTION OF >>AWS STS (scope down policies)
+
UNION OF >> >> AWS Specific Services (Resource Based Policies)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Policy Permissions Enforcements Overview
For Cross Accounts

A

Provided there is an ALLOW from the Top OU Then the ‘permissions’ are enforced by:

UNION OF >> Service control SCP + Managed & Inline Polies
+
INTERSECTION of >> AWS STS (scope down policies)
+
INTERSECTION of >> >> AWS Specific Services (Resource Based Policies) - THE OTHER ACCOUNT must have permission or Roles can be used also

* - We add a principal to the policy when it’s a resource

17
Q

POLICY TOOLS and VISUAL EDITOR
(CREATE, TEST CORRECT)

A
  • Summary of services and access level
  • 4 types of access levels for actions >>
    • List
    • Read
    • Write
    • Permissions
  • Show remaining services and actions
  • Identify and correct errors in policies
18
Q

Policy Tags

A

TBC..

  • Tag Key = You Tag
  • Key = E.g: Resource tag or request tag (both different)
  • Operator = string
  • Value

Tags are basically custom metadata for your resources (Key/Value Pairs) , to Organise, Access & Control

  • Resource tag = Existing
  • Request tag = New

With Tags you can:

  • Control how users tag
  • Control tags users can create
  • Which resource users can tag
  • Control access to resources based on tag
19
Q

Attaching Policy to a resource ‘directly’

A
  • In some cases you can attach a policy to a resource in addition to attaching it to a user or group. For example, in Amazon S3, you can attach a policy to a bucket.
  • A resource-based policy contains slightly different information than a user-based policy.
  • In a resource-based policy you specify what actions are permitted and what resource is affected (just like a user-based policy).
    • However, you also explicitly list who is allowed access to the resource. (In a user-based policy, the “who” is established by whomever the policy is attached to.)
20
Q

AWS Configure
​*( Requires Clarification)

A

You cannot use the aws configure command because it does not support capturing the session token. However, you can manually enter the information into a configuration file. Because these are temporary credentials with a relatively short expiration time, it is easiest to add them to the environment of your current command line session.

21
Q

Policy Examples:

(S3 bucket policy that allows an IAM user named bob in AWS account 777788889999 to put objects into the bucket called example-bucket)

A

{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Principal”: {“ AWS”: “arn:aws:iam:: 777788889999: user/ bob”}, “Action”: [“s3: PutObject”,”s3: PutObjectAcl”], “Resource”: “arn:aws:s3::: example-bucket/*” } }

Vs

The following example shows a policy.

{ “Version”: “2012-10-17”, “Statement”: { “Effect”: “Allow”, “Action”: “dynamodb:*”, “Resource”: “arn:aws:dynamodb:us-west-2: 123456789012: table/ Books” } }

2018-IAM (AWS) (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions