Policy 3 Flashcards
Policy Variables
What is aws:TokenIssueTime?
Used with AWSRevokeOlderSessions to “revoke” before a date
Policy Variables
What is aws:PrincipalType?
Condition key matching “Account”, “User”, “FederatedUser”, or “AssumedRole”.
Policy Variables
What is aws:username?
Depends on the type! Only used if this was from an IAM User requesting.
Policy Variables
What is aws:userid?
Different values depending on the type of Principal making the request.
Policy Variables
What is aws:userid for root user requests?
AWS Account ID
Policy Variables
What is aws:userid for IAM Users?
Unique ID of the user
Policy Variables
What is aws:userid for federated users?
account + “:” + called specified name (from the call to get creds)
Policy Variables
What is aws:userid for assumed roles?
unique ID of the role + “:” + RoleSessionName parameter
Policy Variables
What is aws:userid for Role assigned to EC2 instance?
unique ID of the role + “:” + ec2 instance id
Policy Variables
How do you include a default value for a Policy Variable?
${aws:username, 'guest'}
Policy Variables
What do you do about aws:username when it sometimes is empty?
Use an “IfExists” condition so empty “aws:username” doesn’t result in invalid ARN, for example.
Policy Variables
Help! IAM is treating my Policy Variable as a literal string!
You forgot to include a “Version" >= "2012-10-17”. Earlier versions don’t support variables.
Policy Variables
How do you match a literal “*” in an S3 object name?
${*}
Policy Variables
What’s the logic if you have multiple Conditions in a statement?
ANDed together
Policy Variables
How do you write a condition to match 12 or 14 as values for aws:PrincipalTag/dept?
Just include as a list: aws:PrincipalTag/dept: [ 12, 14 ]
Policy Variables
Condition value “[ 12, 14 ]” – are they ANDed or ORed togehter?
Depends! ANDed if positive thing like StringEquals, NORed if ArnNotLike.
Policy Variables
What’s wrong with this: StringEquals on aws:TagKeys with value "HR"?
aws:TagKeys is multi-value, have to use ForAllValues or ForAnyValue.
Policy Variables
Dangerous edge case of “StringEquals aws:SourceIp "7.5.1.2" ?
If there is no source IP addr, this fails.
Policy Variables
How do you allow this if no Source VPC exists: aws:SourceVpc: “vpc-xxxx”?
StringEqualsIfExists: if it doesn’t exist, the condition succeeds.
Policy Variables
How can you add a Condition that matches all accounts in an Organization OU?
aws:PrincipalOrgPaths
Policy Variables
How do you add a Condition for all users who logged-in from Facebook?
aws:FederatedProvider
Policy Variables
How do you add a condition of the source user who assumed the current role?
aws:RoleAssumedBy
Policy Variables
Example of when aws:CalledVia is useful?
You cfn CreateStack, CFN calls DDB, DDB calls KMS to encrypt and write an Item.
Policy Variables
How can you add a Condition so you can’t use KMS key yourself, but DDB can use it on your behalf?
Action “kms:Decrypt”, Condition aws:CalledVia dynamodb.amazon.com (service principal)
Policy Variables
When is aws:CalledVia* empty?
ServiceRole or Service-linked Role
Policy Variables
Example when aws:CalledVia* is empty?
You make the call yourself (aws cli) or SSM alters an EC2 instance.
Policy Variables
How can you add a Condition to SNS Topic to only allow from S3 (trigger action)?
aws:SourceArn set to the S3 bucket
Policy Variables
What parts of an ARN can you use variables?
Only the last part (after the last “:”)
