Policy 2

Question 1

Policy Rules

Order of rules for IAM overlapping policies?

Answer 1

Explicit deny wins over everything, then explicit allow, then implicit deny.

Question 2

Policy Rules

Order of Evaluations (7)?

Answer 2

Explicit Deny, SCPs, Resource policies, permissions Boundaries, Session policies, Idenity policies, implicit Deny.

Question 3

Policy Rules

Number one dumb mistake evaluating exam questions on Policies?

Answer 3

Missing a “Not” in an Action or Condition.

Question 4

Policy Rules

What’s the rule about explicit deny?

Answer 4

If explicitly denied, overrides everything else. Denied.

Question 5

Policy Rules

What’s the rule about SCPs?

Answer 5

If it exists and doesn’t allow, then deny, else continue.

Question 6

Policy Rules

What happens if no SCP exists for an account in an Org?

Answer 6

Fall-thru, implicit allow, continue.

Question 7

Policy Rules

What’s the rule about Resource Policies?

Answer 7

If grants access then allow, else continue.

Question 8

Policy Rules

What’s the cool result of Resource ahead of session + ID policies?

Answer 8

A resource can grant a permission to any user/role even if the u/r doesn’t allow it explicitly.

Question 9

Policy Rules

What’s the rule about Permission Boundaries?

Answer 9

If it exists and doesn’t allow then deny, else continue.

Question 10

Policy Rules

What’s the rule for Session Policies?

Answer 10

If it exists and doesn’t allow then deny, else continue.

Question 11

Policy Rules

What’s the rule for Identity Policies?

Answer 11

Last in line. Everything else gets a say first. If allows, then allow, else Implicit Deny.

Question 12

Policy Rules

What if one account accessing resource in other account and both accounts have SCPs?

Answer 12

Only SCP in identity account matters: SCPs don’t apply to Resource Policies.

Question 13

Cross-Account Policy Rules

What about permissions across accounts?

Answer 13

A needs to allow the access. B’s resource policy has to allow it. “A lets it out, B let’s it in”

Question 14

Cross-Account Policy Rules

Cross-account Policy rules when target doesn’t have a Resource Policy?

Answer 14

N/A! Cross-account only happens with Resource Policies.

Question 15

Rule Examples

Allow on resource policy, no permission on the identity policy?

Answer 15

Allow (resource policy comes before identity policy checks)

Question 16

Rule Examples

Resource policy explicitly allows, permission boundary doesn’t explicitly allow it?

Answer 16

Allow (resource policy before permission boundary, no explicit deny found)

Question 17

Rule Examples

Allowed on an SCP policy, not allowed on a permissions boundary?

Answer 17

Deny: SCP can’t grant, just deny

Question 18

Rule Examples

Allow on permission boundary, not on resource policy?

Answer 18

Don’t know yet! Both fall-thru to lower levels!

Question 19

Rule Examples

Allow on permission boundary, not on session policy?

Answer 19

Deny - permission passes to session policy which isn’t explicitly allowed

Question 20

Rule Examples

Not in permission boundary, allowed on identity policy?

Answer 20

Deny - permission boundary stops it before identity policy

Question 21

Rule Examples

Allowed on resource policy, not mentioned in identity policy?

Answer 21

Allow (resource policy is sufficient)

Question 22

Rule Examples

No permission boundary, allowed on resource policy?

Answer 22

Allow (resource is before permission boundary)

Question 23

Rule Examples

Allowed on resource policy, no permission boundary?

Answer 23

Allow (resource is before permission, no permission boundary is just fall-thru anyway)

Question 24

Rule Examples

Allowed on Resource Policy, Denied on Identity Policy

Answer 24

Denied! Explicit Deny always trumps everything.

Question 25

Rule Examples

Allowed in Boundary and Session policy, not mentioned in Identity Policy?

Answer 25

Implicit Deny (Boundary and Session fall-thru to Identity, not mentioned there)

Question 26

Rule Examples

Boundary grants S3 readonly, Identity gives you S3 full control?

Answer 26

S3 read-only (Boundary doesn’t deny the entire Identity Policy)