Policy 3 Flashcards

1
Q

Policy Variables

What is aws:TokenIssueTime?

A

Used with AWSRevokeOlderSessions to “revoke” before a date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Policy Variables

What is aws:PrincipalType?

A

Condition key matching “Account”, “User”, “FederatedUser”, or “AssumedRole”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policy Variables

What is aws:username?

A

Depends on the type! Only used if this was from an IAM User requesting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Policy Variables

What is aws:userid?

A

Different values depending on the type of Principal making the request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policy Variables

What is aws:userid for root user requests?

A

AWS Account ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Policy Variables

What is aws:userid for IAM Users?

A

Unique ID of the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Policy Variables

What is aws:userid for federated users?

A

account + “:” + called specified name (from the call to get creds)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Policy Variables

What is aws:userid for assumed roles?

A

unique ID of the role + “:” + RoleSessionName parameter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Policy Variables

What is aws:userid for Role assigned to EC2 instance?

A

unique ID of the role + “:” + ec2 instance id

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Policy Variables

How do you include a default value for a Policy Variable?

A

${aws:username, 'guest'}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Policy Variables

What do you do about aws:username when it sometimes is empty?

A

Use an “IfExists” condition so empty “aws:username” doesn’t result in invalid ARN, for example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Policy Variables

Help! IAM is treating my Policy Variable as a literal string!

A

You forgot to include a “Version" >= "2012-10-17”. Earlier versions don’t support variables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Policy Variables

How do you match a literal “*” in an S3 object name?

A

${*}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Policy Variables

What’s the logic if you have multiple Conditions in a statement?

A

ANDed together

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Policy Variables

How do you write a condition to match 12 or 14 as values for aws:PrincipalTag/dept?

A

Just include as a list: aws:PrincipalTag/dept: [ 12, 14 ]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Policy Variables

Condition value “[ 12, 14 ]” – are they ANDed or ORed togehter?

A

Depends! ANDed if positive thing like StringEquals, NORed if ArnNotLike.

17
Q

Policy Variables

What’s wrong with this: StringEquals on aws:TagKeys with value "HR"?

A

aws:TagKeys is multi-value, have to use ForAllValues or ForAnyValue.

18
Q

Policy Variables

Dangerous edge case of “StringEquals aws:SourceIp "7.5.1.2" ?

A

If there is no source IP addr, this fails.

19
Q

Policy Variables

How do you allow this if no Source VPC exists: aws:SourceVpc: “vpc-xxxx”?

A

StringEqualsIfExists: if it doesn’t exist, the condition succeeds.

20
Q

Policy Variables

How can you add a Condition that matches all accounts in an Organization OU?

A

aws:PrincipalOrgPaths

21
Q

Policy Variables

How do you add a Condition for all users who logged-in from Facebook?

A

aws:FederatedProvider

22
Q

Policy Variables

How do you add a condition of the source user who assumed the current role?

A

aws:RoleAssumedBy

23
Q

Policy Variables

Example of when aws:CalledVia is useful?

A

You cfn CreateStack, CFN calls DDB, DDB calls KMS to encrypt and write an Item.

24
Q

Policy Variables

How can you add a Condition so you can’t use KMS key yourself, but DDB can use it on your behalf?

A

Action “kms:Decrypt”, Condition aws:CalledVia dynamodb.amazon.com (service principal)

25
Q

Policy Variables

When is aws:CalledVia* empty?

A

ServiceRole or Service-linked Role

26
Q

Policy Variables

Example when aws:CalledVia* is empty?

A

You make the call yourself (aws cli) or SSM alters an EC2 instance.

27
Q

Policy Variables

How can you add a Condition to SNS Topic to only allow from S3 (trigger action)?

A

aws:SourceArn set to the S3 bucket

28
Q

Policy Variables

What parts of an ARN can you use variables?

A

Only the last part (after the last “:”)