Tutorial / Cram Notes
Identity and Access Management (IAM) is a cornerstone of AWS security, providing the necessary tools to securely control access to AWS services and resources for your users. When preparing for the AWS Certified Security – Specialty (SCS-C02) exam, it’s crucial to understand the different IAM policy types and how they can be evaluated against specific requirements and workloads.
The main policy types in IAM are:
- Identity-Based Policies
- Resource-Based Policies
- Permissions Boundaries
- Organizations SCPs (Service Control Policies)
- Access Control Lists (ACLs)
- Session Policies
Identity-Based Policies
Identity-based policies are attached to IAM users, groups, or roles. They define permissions for an entity to perform actions on resources. These policies can be managed or inline:
Managed Policies:
- Can be AWS managed (predefined by AWS) or customer managed (created and managed by you).
- Are reusable and can be attached to multiple entities.
Inline Policies:
- Are directly embedded into a single user, group, or role.
- Offer tight control over policy assignment.
When to use Identity-Based Policies:
- When you need to assign permissions based on the identity of the requester.
- When you want to manage permissions across multiple accounts with AWS managed policies.
Resource-Based Policies
Resource-based policies are attached to AWS resources like S3 buckets or KMS keys. They specify who (which principal) can access that resource and under what conditions.
When to use Resource-Based Policies:
- When you need to control access to a resource regardless of the requester’s identity.
- When the access control involves cross-account access.
Example:
An S3 bucket policy granting read access to a specific IAM user from another account.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {“AWS”: “arn:aws:iam::123456789012:user/ExampleUser”},
“Action”: [“s3:GetObject”],
“Resource”: [“arn:aws:s3:::examplebucket/*”]
}
]
}
Permissions Boundaries
Permissions boundaries are advanced features that use managed policies to set the maximum permissions that an IAM role or user can have.
When to use Permissions Boundaries:
- To delegate administration tasks and allow users to manage roles without exceeding a certain permission boundary.
- To prevent privilege escalation beyond a specific scope.
Organizations SCPs (Service Control Policies)
SCP policies are used within AWS Organizations to set permissions limits for the entire organization or specific organizational units (OUs).
When to use SCPs:
- To enforce governance by ensuring member accounts adhere to certain compliance rules.
- To set boundary permissions across multiple accounts within AWS Organizations.
Access Control Lists (ACLs)
ACLs are legacy features primarily used with S3 and network resources to manage subresource-level permissions.
When to use ACLs:
- For simple access control scenarios on S3 buckets and objects.
- When legacy S3 tools or applications are in use.
Session Policies
Session policies are policies passed during the creation of a temporary session for a federated user or assumed role.
When to use Session Policies:
- To provide fine-grained access during a particular session.
- To restrict permissions temporarily beyond what is assigned to the user or role.
Example:
Passing a session policy when assuming a role to limit access to a particular S3 bucket.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: “arn:aws:s3:::specific-bucket/*”
}
]
}
In conclusion, the choice of IAM policy types depends on the need for scalability, specificity of access, and the given workloads and requirements. It is essential for candidates to understand not just the syntax of these policies, but also when and why to use each type in a real-world scenario. Understanding these concepts will be crucial for those looking to demonstrate their expertise in the AWS Certified Security – Specialty exam.
Practice Test with Explanation
T/F: Identity-based policies in AWS IAM can directly be associated with resources rather than users and roles.
- Answer: False
Explanation: Identity-based policies are attached to IAM users, groups, or roles rather than AWS resources. Resource-based policies, on the other hand, are directly attached to resources.
In AWS IAM, what policy type allows you to specify access controls across multiple AWS accounts?
- A. Identity-based policies
- B. Resource-based policies
- C. Organizations SCPs (Service Control Policies)
- D. Permissions boundaries
Answer: C. Organizations SCPs (Service Control Policies)
Explanation: Service Control Policies allow organizations to manage permissions across multiple AWS accounts.
T/F: AWS IAM permissions boundaries can be used to delegate administration by setting the maximum permissions that an IAM entity can have.
- Answer: True
Explanation: Permissions boundaries allow an administrator to delegate permissions to users or roles without granting them full access to the AWS account capabilities.
Which IAM policy is AWS’s default policy that implicitly denies access to every AWS service and action?
- A. Managed policy
- B. Inline policy
- C. SCP
- D. None of the above
Answer: D. None of the above
Explanation: AWS has a default “implicit deny” when no policies are in place or when a request does not match any allow policy. This is not an actual policy that can be assigned but rather the default behavior of the access control system.
T/F: Inline policies are the preferred method for assigning permissions when managing a large, complex organization with multiple teams and services.
- Answer: False
Explanation: Managed policies are generally preferred in large organizations because they are easier to manage and can be re-used across multiple IAM identities.
T/F: AWS IAM roles require long-term credentials such as access keys or passwords to be associated with them.
- Answer: False
Explanation: IAM roles do not require long-term credentials. Instead, they rely on temporary security tokens when assumed.
Which IAM policy type can be used to enforce restrictions on the operations that IAM users and roles can perform?
- A. SCP
- B. Permissions boundaries
- C. Managed policies
- D. All of the above
Answer: D. All of the above
Explanation: SCPs, permissions boundaries, and managed policies can all be used to limit permissions for IAM users and roles.
What is the key benefit of using AWS managed policies over inline policies?
- A. They cannot be deleted
- B. They can be attached to multiple IAM users, groups, or roles
- C. They are more secure
- D. They allow unrestricted access to AWS services
Answer: B. They can be attached to multiple IAM users, groups, or roles
Explanation: Managed policies are created and administered by AWS, and can be attached to multiple IAM entities which makes reuse and management more convenient than inline policies.
T/F: AWS IAM supports resource-based policies for services like Amazon S3 and IAM roles.
- Answer: True
Explanation: AWS IAM allows certain resources such as Amazon S3 buckets and IAM roles to have their own policies, which are known as resource-based policies.
Which IAM feature allows you to simulate permissions to verify they function as expected before actually applying them?
- A. IAM Access Advisor
- B. IAM Policy Simulator
- C. IAM Trusted Advisor
- D. IAM Access Analyzer
Answer: B. IAM Policy Simulator
Explanation: The IAM Policy Simulator helps you understand and validate the effects of access control policies, allowing you to test them before committing to the changes.
T/F: Cross-account access can be facilitated by using IAM roles and resource-based policies.
- Answer: True
Explanation: IAM roles and resource-based policies can both be used to allow access to resources and services from users in different AWS accounts.
When would you typically use an AWS managed policy?
- A. When you want to customize permissions at a granular level for an individual user
- B. When you have a standard set of permissions that should be applied to multiple users or roles
- C. When you do not want to periodically review and update the permission set
- D. When the permissions required for a role are unique and not likely to be duplicated
Answer: B. When you have a standard set of permissions that should be applied to multiple users or roles
Explanation: AWS managed policies are ideal for providing a standardized set of permissions that can be readily applied to different users or roles, which is useful for commonly-assigned tasks and roles within an organization.
Interview Questions
Can you describe the difference between identity-based policies and resource-based policies in AWS IAM?
Identity-based policies are attached to IAM users, groups, or roles, specifying permissions for those entities. These policies allow or deny actions on AWS resources. Resource-based policies, on the other hand, are attached directly to AWS resources and specify which principals (users, accounts, roles) can or cannot access that resource.
When would you use a managed policy rather than an inline policy in an IAM role?
Managed policies are best used when you want to have reusable, centrally managed policy objects that can be attached to multiple users, groups, or roles. It’s beneficial for consistent policy deployment across an organization. Inline policies are used when a policy is strictly intended for a single user, group, or role, and you want the policy’s lifecycle to be tied to that specific identity.
What is the significance of using conditions in IAM policies?
Conditions in IAM policies add an extra layer of security by defining requirements that must be met for a policy statement to take effect. They can be based on various factors like IP address, time of day, or multi-factor authentication, and are crucial for fine-grained access control.
How would you design an IAM policy to allow a user access only during work hours in their specific timezone?
This policy would use a condition that restricts access based on the current time. An example condition using the DateGreaterThan and DateLessThan condition operators could specify the allowed access times within the user’s workday, making sure to adjust for the timezone offset as necessary.
What AWS IAM feature would you use to ensure that policies do not allow unintentional access to all resources in an account?
AWS IAM policy conditions can be used to prevent overly permissive actions. For example, using specific resource ARNs in policies, setting condition keys like aws:ResourceTag to enforce tag-based access control, or using SCPs (Service Control Policies) in AWS Organizations to ensure account-level boundaries are some of the ways to prevent unintentional access to all resources.
How can you use IAM policies together with resource tagging to manage permissions across different projects or departments?
By implementing a resource tagging strategy and using the aws:ResourceTag condition key in your IAM policies, you can align permissions with specific project or department tags, thus granting access only to the resources with matching tags.
Why might you opt to use temporary security credentials (e.g., those provided by STS) over long-term access keys for an IAM user when accessing AWS services programmatically?
Temporary security credentials provided by AWS Security Token Service (STS) are more secure than long-term access keys as they are automatically rotated and have a limited lifespan. They also provide options for enhanced security by allowing the requesting entity to assume an IAM role with the exact permissions needed for the task, reducing the risk associated with compromised credentials.
Describe how you would address the need for a user to assume different IAM roles depending on the task or service they are interacting with.
By implementing IAM role switching, you can grant a user the ability to change to different IAM roles within the same or different AWS accounts. Each IAM role would have a separate set of permissions tailored to specific tasks or services, controlled by the trust policy attached to the role. The user can then use the AssumeRole API to switch between these roles as needed.
In what scenarios would you advise using service-linked roles?
Service-linked roles are designed for AWS services to perform actions on your behalf. They should be used when you need to grant an AWS service permissions to manage resources within your account. These roles have predefined policies and trust relationships set by the service, making them secure and easy to manage.
How might cross-account access be configured with IAM policies, and what are some security considerations to keep in mind?
Cross-account access is configured by creating a role in the target account with a policy that grants the necessary permissions. The trust relationship of the role is updated to allow the principal (user, role) of the source account to assume the role using sts:AssumeRole. When setting up cross-account access, it’s important to scope down permissions as much as possible, monitor logs for unusual activity, and regularly review permissions for any changes in requirements.
Can you provide an example of when you would use inline policies over managed policies?
Inline policies are useful when you need to create a policy that is designed to be exclusively associated with a single IAM user, group, or role, and you want the lifecycle of that policy to be tightly coupled with that IAM entity. For instance, you might use an inline policy when you need to ensure that specific permissions are retired as soon as a user or role is deleted.
How does AWS IAM help in enforcing multi-factor authentication (MFA) for sensitive operations, and what would a policy enforcing MFA look like?
AWS IAM can enforce MFA by including condition keys in policies that require MFA authentication. A condition like “aws:MultiFactorAuthPresent”: “true” can be used within a policy statement to ensure that certain actions can only be performed if the user is authenticated with MFA. This increases the security for sensitive operations by adding an additional layer of authentication.
Great article! Can someone explain how to prioritize policies for workloads with different security requirements?
Thanks for the detailed breakdown. This really helped me understand IAM better.
IAM policies can get really complex. Any suggestions on tools for maintaining them?
I appreciate the blog post. Well done!
I used AWS IAM Access Analyzer to review my policies. Anyone else using it?
Why should we use resource-based policies over identity-based policies?
Loved the step-by-step explanation!
Can we combine both resource and identity-based policies? Any best practices around this?