Policy 3 Flashcards
Policy Variables
What is aws:TokenIssueTime
?
Used with AWSRevokeOlderSessions to “revoke” before a date
Policy Variables
What is aws:PrincipalType
?
Condition key matching “Account”, “User”, “FederatedUser”, or “AssumedRole”.
Policy Variables
What is aws:username
?
Depends on the type! Only used if this was from an IAM User requesting.
Policy Variables
What is aws:userid
?
Different values depending on the type of Principal making the request.
Policy Variables
What is aws:userid
for root user requests?
AWS Account ID
Policy Variables
What is aws:userid
for IAM Users?
Unique ID of the user
Policy Variables
What is aws:userid
for federated users?
account + “:” + called specified name (from the call to get creds)
Policy Variables
What is aws:userid
for assumed roles?
unique ID of the role + “:” + RoleSessionName parameter
Policy Variables
What is aws:userid
for Role assigned to EC2 instance?
unique ID of the role + “:” + ec2 instance id
Policy Variables
How do you include a default value for a Policy Variable?
${aws:username, 'guest'}
Policy Variables
What do you do about aws:username
when it sometimes is empty?
Use an “IfExists” condition so empty “aws:username” doesn’t result in invalid ARN, for example.
Policy Variables
Help! IAM is treating my Policy Variable as a literal string!
You forgot to include a “Version" >= "2012-10-17
”. Earlier versions don’t support variables.
Policy Variables
How do you match a literal “*” in an S3 object name?
${*}
Policy Variables
What’s the logic if you have multiple Conditions in a statement?
ANDed together
Policy Variables
How do you write a condition to match 12 or 14 as values for aws:PrincipalTag/dept
?
Just include as a list: aws:PrincipalTag/dept: [ 12, 14 ]