Policy 2 Flashcards
Policy Rules
Order of rules for IAM overlapping policies?
Explicit deny wins over everything, then explicit allow, then implicit deny.
Policy Rules
Order of Evaluations (7)?
Explicit Deny, SCPs, Resource policies, permissions Boundaries, Session policies, Idenity policies, implicit Deny.
Policy Rules
Number one dumb mistake evaluating exam questions on Policies?
Missing a “Not” in an Action or Condition.
Policy Rules
What’s the rule about explicit deny?
If explicitly denied, overrides everything else. Denied.
Policy Rules
What’s the rule about SCPs?
If it exists and doesn’t allow, then deny, else continue.
Policy Rules
What happens if no SCP exists for an account in an Org?
Fall-thru, implicit allow, continue.
Policy Rules
What’s the rule about Resource Policies?
If grants access then allow, else continue.
Policy Rules
What’s the cool result of Resource ahead of session + ID policies?
A resource can grant a permission to any user/role even if the u/r doesn’t allow it explicitly.
Policy Rules
What’s the rule about Permission Boundaries?
If it exists and doesn’t allow then deny, else continue.
Policy Rules
What’s the rule for Session Policies?
If it exists and doesn’t allow then deny, else continue.
Policy Rules
What’s the rule for Identity Policies?
Last in line. Everything else gets a say first. If allows, then allow, else Implicit Deny.
Policy Rules
What if one account accessing resource in other account and both accounts have SCPs?
Only SCP in identity account matters: SCPs don’t apply to Resource Policies.
Cross-Account Policy Rules
What about permissions across accounts?
A needs to allow the access. B’s resource policy has to allow it. “A lets it out, B let’s it in”
Cross-Account Policy Rules
Cross-account Policy rules when target doesn’t have a Resource Policy?
N/A! Cross-account only happens with Resource Policies.
Rule Examples
Allow on resource policy, no permission on the identity policy?
Allow (resource policy comes before identity policy checks)