Policy 3

Question 1

Policy Variables

What is aws:TokenIssueTime?

Answer 1

Used with AWSRevokeOlderSessions to “revoke” before a date

Question 2

Policy Variables

What is aws:PrincipalType?

Answer 2

Condition key matching “Account”, “User”, “FederatedUser”, or “AssumedRole”.

Question 3

Policy Variables

What is aws:username?

Answer 3

Depends on the type! Only used if this was from an IAM User requesting.

Question 4

Policy Variables

What is aws:userid?

Answer 4

Different values depending on the type of Principal making the request.

Question 5

Policy Variables

What is aws:userid for root user requests?

Answer 5

AWS Account ID

Question 6

Policy Variables

What is aws:userid for IAM Users?

Answer 6

Unique ID of the user

Question 7

Policy Variables

What is aws:userid for federated users?

Answer 7

account + “:” + called specified name (from the call to get creds)

Question 8

Policy Variables

What is aws:userid for assumed roles?

Answer 8

unique ID of the role + “:” + RoleSessionName parameter

Question 9

Policy Variables

What is aws:userid for Role assigned to EC2 instance?

Answer 9

unique ID of the role + “:” + ec2 instance id

Question 10

Policy Variables

How do you include a default value for a Policy Variable?

Answer 10

${aws:username, 'guest'}

Question 11

Policy Variables

What do you do about aws:username when it sometimes is empty?

Answer 11

Use an “IfExists” condition so empty “aws:username” doesn’t result in invalid ARN, for example.

Question 12

Policy Variables

Help! IAM is treating my Policy Variable as a literal string!

Answer 12

You forgot to include a “Version" >= "2012-10-17”. Earlier versions don’t support variables.

Question 13

Policy Variables

How do you match a literal “*” in an S3 object name?

Answer 13

${*}

Question 14

Policy Variables

What’s the logic if you have multiple Conditions in a statement?

Answer 14

ANDed together

Question 15

Policy Variables

How do you write a condition to match 12 or 14 as values for aws:PrincipalTag/dept?

Answer 15

Just include as a list: aws:PrincipalTag/dept: [ 12, 14 ]

Question 16

Policy Variables

Condition value “[ 12, 14 ]” – are they ANDed or ORed togehter?

Answer 16

Depends! ANDed if positive thing like StringEquals, NORed if ArnNotLike.

Question 17

Policy Variables

What’s wrong with this: StringEquals on aws:TagKeys with value "HR"?

Answer 17

aws:TagKeys is multi-value, have to use ForAllValues or ForAnyValue.

Question 18

Policy Variables

Dangerous edge case of “StringEquals aws:SourceIp "7.5.1.2" ?

Answer 18

If there is no source IP addr, this fails.

Question 19

Policy Variables

How do you allow this if no Source VPC exists: aws:SourceVpc: “vpc-xxxx”?

Answer 19

StringEqualsIfExists: if it doesn’t exist, the condition succeeds.

Question 20

Policy Variables

How can you add a Condition that matches all accounts in an Organization OU?

Answer 20

aws:PrincipalOrgPaths

Question 21

Policy Variables

How do you add a Condition for all users who logged-in from Facebook?

Answer 21

aws:FederatedProvider

Question 22

Policy Variables

How do you add a condition of the source user who assumed the current role?

Answer 22

aws:RoleAssumedBy

Question 23

Policy Variables

Example of when aws:CalledVia is useful?

Answer 23

You cfn CreateStack, CFN calls DDB, DDB calls KMS to encrypt and write an Item.

Question 24

Policy Variables

How can you add a Condition so you can’t use KMS key yourself, but DDB can use it on your behalf?

Answer 24

Action “kms:Decrypt”, Condition aws:CalledVia dynamodb.amazon.com (service principal)

Question 25

Policy Variables

When is aws:CalledVia* empty?

Answer 25

ServiceRole or Service-linked Role

Question 26

Policy Variables

Example when aws:CalledVia* is empty?

Answer 26

You make the call yourself (aws cli) or SSM alters an EC2 instance.

Question 27

Policy Variables

How can you add a Condition to SNS Topic to only allow from S3 (trigger action)?

Answer 27

aws:SourceArn set to the S3 bucket

Question 28

Policy Variables

What parts of an ARN can you use variables?

Answer 28

Only the last part (after the last “:”)