Policy 2 Flashcards
Policy Rules
Order of rules for IAM overlapping policies?
Explicit deny wins over everything, then explicit allow, then implicit deny.
Policy Rules
Order of Evaluations (7)?
Explicit Deny, SCPs, Resource policies, permissions Boundaries, Session policies, Idenity policies, implicit Deny.
Policy Rules
Number one dumb mistake evaluating exam questions on Policies?
Missing a “Not” in an Action or Condition.
Policy Rules
What’s the rule about explicit deny?
If explicitly denied, overrides everything else. Denied.
Policy Rules
What’s the rule about SCPs?
If it exists and doesn’t allow, then deny, else continue.
Policy Rules
What happens if no SCP exists for an account in an Org?
Fall-thru, implicit allow, continue.
Policy Rules
What’s the rule about Resource Policies?
If grants access then allow, else continue.
Policy Rules
What’s the cool result of Resource ahead of session + ID policies?
A resource can grant a permission to any user/role even if the u/r doesn’t allow it explicitly.
Policy Rules
What’s the rule about Permission Boundaries?
If it exists and doesn’t allow then deny, else continue.
Policy Rules
What’s the rule for Session Policies?
If it exists and doesn’t allow then deny, else continue.
Policy Rules
What’s the rule for Identity Policies?
Last in line. Everything else gets a say first. If allows, then allow, else Implicit Deny.
Policy Rules
What if one account accessing resource in other account and both accounts have SCPs?
Only SCP in identity account matters: SCPs don’t apply to Resource Policies.
Cross-Account Policy Rules
What about permissions across accounts?
A needs to allow the access. B’s resource policy has to allow it. “A lets it out, B let’s it in”
Cross-Account Policy Rules
Cross-account Policy rules when target doesn’t have a Resource Policy?
N/A! Cross-account only happens with Resource Policies.
Rule Examples
Allow on resource policy, no permission on the identity policy?
Allow (resource policy comes before identity policy checks)
Rule Examples
Resource policy explicitly allows, permission boundary doesn’t explicitly allow it?
Allow (resource policy before permission boundary, no explicit deny found)
Rule Examples
Allowed on an SCP policy, not allowed on a permissions boundary?
Deny: SCP can’t grant, just deny
Rule Examples
Allow on permission boundary, not on resource policy?
Don’t know yet! Both fall-thru to lower levels!
Rule Examples
Allow on permission boundary, not on session policy?
Deny - permission passes to session policy which isn’t explicitly allowed
Rule Examples
Not in permission boundary, allowed on identity policy?
Deny - permission boundary stops it before identity policy
Rule Examples
Allowed on resource policy, not mentioned in identity policy?
Allow (resource policy is sufficient)
Rule Examples
No permission boundary, allowed on resource policy?
Allow (resource is before permission boundary)
Rule Examples
Allowed on resource policy, no permission boundary?
Allow (resource is before permission, no permission boundary is just fall-thru anyway)
Rule Examples
Allowed on Resource Policy, Denied on Identity Policy
Denied! Explicit Deny always trumps everything.
Rule Examples
Allowed in Boundary and Session policy, not mentioned in Identity Policy?
Implicit Deny (Boundary and Session fall-thru to Identity, not mentioned there)
Rule Examples
Boundary grants S3 readonly, Identity gives you S3 full control?
S3 read-only (Boundary doesn’t deny the entire Identity Policy)
