Policy 2 Flashcards

1
Q

Policy Rules

Order of rules for IAM overlapping policies?

A

Explicit deny wins over everything, then explicit allow, then implicit deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Policy Rules

Order of Evaluations (7)?

A

Explicit Deny, SCPs, Resource policies, permissions Boundaries, Session policies, Idenity policies, implicit Deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policy Rules

Number one dumb mistake evaluating exam questions on Policies?

A

Missing a “Not” in an Action or Condition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Policy Rules

What’s the rule about explicit deny?

A

If explicitly denied, overrides everything else. Denied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policy Rules

What’s the rule about SCPs?

A

If it exists and doesn’t allow, then deny, else continue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Policy Rules

What happens if no SCP exists for an account in an Org?

A

Fall-thru, implicit allow, continue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Policy Rules

What’s the rule about Resource Policies?

A

If grants access then allow, else continue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Policy Rules

What’s the cool result of Resource ahead of session + ID policies?

A

A resource can grant a permission to any user/role even if the u/r doesn’t allow it explicitly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Policy Rules

What’s the rule about Permission Boundaries?

A

If it exists and doesn’t allow then deny, else continue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Policy Rules

What’s the rule for Session Policies?

A

If it exists and doesn’t allow then deny, else continue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Policy Rules

What’s the rule for Identity Policies?

A

Last in line. Everything else gets a say first. If allows, then allow, else Implicit Deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Policy Rules

What if one account accessing resource in other account and both accounts have SCPs?

A

Only SCP in identity account matters: SCPs don’t apply to Resource Policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cross-Account Policy Rules

What about permissions across accounts?

A

A needs to allow the access. B’s resource policy has to allow it. “A lets it out, B let’s it in”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cross-Account Policy Rules

Cross-account Policy rules when target doesn’t have a Resource Policy?

A

N/A! Cross-account only happens with Resource Policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Rule Examples

Allow on resource policy, no permission on the identity policy?

A

Allow (resource policy comes before identity policy checks)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Rule Examples

Resource policy explicitly allows, permission boundary doesn’t explicitly allow it?

A

Allow (resource policy before permission boundary, no explicit deny found)

17
Q

Rule Examples

Allowed on an SCP policy, not allowed on a permissions boundary?

A

Deny: SCP can’t grant, just deny

18
Q

Rule Examples

Allow on permission boundary, not on resource policy?

A

Don’t know yet! Both fall-thru to lower levels!

19
Q

Rule Examples

Allow on permission boundary, not on session policy?

A

Deny - permission passes to session policy which isn’t explicitly allowed

20
Q

Rule Examples

Not in permission boundary, allowed on identity policy?

A

Deny - permission boundary stops it before identity policy

21
Q

Rule Examples

Allowed on resource policy, not mentioned in identity policy?

A

Allow (resource policy is sufficient)

22
Q

Rule Examples

No permission boundary, allowed on resource policy?

A

Allow (resource is before permission boundary)

23
Q

Rule Examples

Allowed on resource policy, no permission boundary?

A

Allow (resource is before permission, no permission boundary is just fall-thru anyway)

24
Q

Rule Examples

Allowed on Resource Policy, Denied on Identity Policy

A

Denied! Explicit Deny always trumps everything.

25
Q

Rule Examples

Allowed in Boundary and Session policy, not mentioned in Identity Policy?

A

Implicit Deny (Boundary and Session fall-thru to Identity, not mentioned there)

26
Q

Rule Examples

Boundary grants S3 readonly, Identity gives you S3 full control?

A

S3 read-only (Boundary doesn’t deny the entire Identity Policy)