Tutorial / Cram Notes
Service Control Policies enable organizations to set permission guardrails applicable to all accounts within an organizational unit (OU). They are part of AWS Organizations and can be used to enforce compliance and security standards across multiple AWS accounts. With SCPs, you can whitelist or blacklist certain AWS services or actions, thus ensuring that account users or roles comply with the established policies.
An SCP example could be to deny any action not compliant with logging requirements:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Deny”,
“NotAction”: [
“cloudtrail:*”,
“logs:*”
],
“Resource”: “*”,
“Condition”: {
“Bool”: {
“aws:RequestTag/Compliance”: “true”
}
}
}
]
}
This SCP ensures that any activity not tagged with “Compliance”: “true” is denied if it’s not related to CloudTrail or CloudWatch Logs.
Assuming Roles
For day-to-day operations, users may need to interact with resources in accounts they don’t directly own. AWS provides the AssumeRole API allowing IAM users to temporarily take on a role with a different set of permissions. This is critical for a multi-account strategy for several reasons:
- Cross-account Access: Users can perform actions in another account without managing credentials for that account directly.
- Least privilege model: Roles can be tailored with specific permissions necessary for a particular task.
- Centralized access management: One account can manage access permissions while users from other accounts assume roles as needed.
Example: Assuming a Role
To assume a role within AWS, define a trust relationship within the IAM role you want to access. For instance, here would be a policy associated with a role named CrossAccountRole in Account B that Account A wants to access:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {“AWS”: “arn:aws:iam::
“Action”: “sts:AssumeRole”,
“Condition”: {}
}
]
}
To assume the CrossAccountRole from Account A, you could use the AWS Command Line Interface (CLI):
aws sts assume-role \
–role-arn “arn:aws:iam::
–role-session-name “session-name”
This command will provide temporary security credentials to access resources in Account B.
Combining SCPs with Role Assumption
For complex organizations, the combination of SCPs with role assumption provides robust security. By applying SCPs, the root level administration can enforce policies across all accounts in the organization. By enabling roles in individual accounts, the organization achieves flexibility and tight control over who can access what within each account.
Imagine an SCP that permits read-only access across all accounts except one where dev work takes place. Developers can then assume a role with elevated permissions but only within their development account.
Conclusion
When managing multi-account architectures in AWS, SCPs and IAM role assumption are crucial tools. By applying SCPs at the organization level, you create a consistent set of security boundaries for all accounts. Roles extend the granularity of access control to the individual account level, allowing for precise permission delegation. By mastering these IAM solutions, DevOps engineers can ensure that their AWS environments are both secure and flexible to meet the needs of complex organizational structures.
Practice Test with Explanation
T/F: Service Control Policies (SCPs) can be used to permit actions that are otherwise explicitly denied by IAM permissions in an AWS account.
- Answer: False
Explanation: SCPs are used to manage permissions in AWS Organizations and can only allow actions or requests that are explicitly allowed by IAM permissions. They cannot grant access to actions that are specifically denied by IAM.
Which AWS service allows central management of multiple AWS accounts?
- A) IAM
- B) AWS Organizations
- C) Amazon Cognito
- D) AWS Single Sign-On (SSO)
Answer: B. AWS Organizations
Explanation: AWS Organizations allows you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
What is the maximum number of SCPs you can attach to an AWS Organizations OU (Organizational Unit)?
- A) 5
- B) 10
- C) 100
- D) No limit
Answer: D. No limit
Explanation: There is no set limit to the number of SCPs that can be attached to an AWS Organizations OU.
T/F: You can use an IAM role to delegate access to resources in the same AWS account, but not in other accounts.
- Answer: False
Explanation: IAM roles can be used to delegate access to users, applications, or services that normally don’t have access to your AWS resources, and this can be done both within the same AWS account and across different AWS accounts.
When assuming an IAM role in another AWS account to perform actions, which of the following are required? (Select two)
- A) The trust relationship defined in the role
- B) The execution role of the AWS Lambda function
- C) Role session name
- D) Amazon Resource Name (ARN) of the role
Answer: A. The trust relationship defined in the role, C. Role session name
Explanation: A trust relationship must be defined in the IAM role so that the assuming entity is allowed to assume the role, and a role session name is required to uniquely identify the session when the role is assumed.
T/F: Cross-account access using IAM roles negates the need for sharing access keys across accounts.
- Answer: True
Explanation: IAM roles for cross-account access eliminate the need to share access keys, as permissions are managed without static credentials, thereby enhancing security.
What feature allows you to apply permission policies to all accounts in an organization?
- A) IAM Users
- B) IAM Roles
- C) SCPs
- D) AWS Identity Federation
Answer: C. SCPs
Explanation: Service Control Policies allow you to define a set of controls that all AWS accounts within the organization must comply with.
T/F: An SCP attached to a root in AWS Organizations affects every account within the organization irrespective of their individual OU.
- Answer: True
Explanation: SCPs applied at the root level apply to all OUs and accounts within the organization.
What allows for the temporary access to AWS resources in different accounts or environments?
- A) IAM User switching
- B) IAM policy conditions
- C) IAM role assumption
- D) AWS Access Keys
Answer: C. IAM role assumption
Explanation: IAM role assumption allows users to temporarily assume a role that grants them permissions to access resources in the same or different AWS account.
T/F: SCPs can enforce tag-based controls on AWS resources across multiple accounts.
- Answer: True
Explanation: SCPs can include conditions that enforce tag-based controls, which apply across all users and roles in the member accounts.
Which of the following is not a feature of AWS Single Sign-On (SSO)?
- A) Centralized access management for multiple AWS accounts
- B) Supports integration with on-premises Active Directory
- C) Provides direct access to AWS Management Console for each account
- D) Automatically optimizes costs among multiple accounts
Answer: D. Automatically optimizes costs among multiple accounts
Explanation: AWS SSO does not automatically optimize costs. It focuses on access management and facilitates centralized sign-in across AWS accounts and business applications.
When an IAM user assumes a role within the same account, are they required to relinquish their original user permissions?
- A) Yes, IAM role assumption always replaces the original user permissions
- B) No, they can combine permissions of the IAM user and the assumed role
- C) Yes, but only if the AssumeRole API operation is used
- D) No, the original user permissions are maintained for the duration of the role assumption
Answer: D. No, the original user permissions are maintained for the duration of the role assumption
Explanation: When an IAM user assumes a role, their user permissions are not permanently removed. They are simply augmented by the permissions of the role they’ve assumed for that session. After the session ends, they revert to their original user permissions.
Interview Questions
Can you describe what AWS Organizations is and how it relates to implementing IAM solutions in a multi-account environment?
AWS Organizations is a service that allows you to centrally manage and govern your environment as you grow and scale your work on AWS. With AWS Organizations, you can create groups of AWS accounts, automate account creation, apply policies for governance, and simplify billing by setting up a single payment method for all your accounts. It is related to IAM because it allows you to structure your accounts in a way that aligns with your access control policies and enables the use of Service Control Policies (SCPs) to centrally apply permissions across accounts.
What are Service Control Policies (SCPs) and how do they work in the context of AWS Organizations?
SCPs are a type of policy that you can use with AWS Organizations to manage permissions in your organization’s accounts. SCPs allow you to define the maximum permissions for members (accounts) of an organization, acting as a guardrail for all IAM entities in an account, without being an explicit grant. They help ensure compliance with the principle of least privilege by allowing administrators to control which services and actions users and roles can access across all accounts in the organization.
How does assuming roles between AWS accounts improve security and collaboration?
Assuming roles between AWS accounts allows users from one AWS account to access resources in another account securely. This is done without the need to share credentials, instead using temporary security credentials that can be more tightly controlled and audited. Doing so also facilitates collaboration by allowing cross-account resource access. Assumed roles come with predefined permissions, giving the principal that assumes the role the minimum necessary permissions required to perform a specific task, which conforms to the principle of least privilege.
Can you explain the difference between a cross-account role and a service-linked role in AWS?
A cross-account role is a custom IAM role that you create to delegate access to resources in your account to users from another AWS account. It is typically used for scenarios where users from different AWS accounts need to collaborate or access resources. A service-linked role, on the other hand, is a unique type of IAM role that is linked directly to an AWS service. It is predefined by the service and includes all the necessary permissions for the service to call other AWS services on your behalf. Service-linked roles are created by AWS services and cannot be modified.
What are best practices for managing IAM policies and permissions in a complex multi-account AWS organization?
Best practices for managing IAM policies and permissions in a multi-account organization include using AWS Organizations to structure your accounts, implementing least privilege access using finely-grained IAM policies, leveraging Service Control Policies to enforce permission boundaries across accounts, utilizing role assumption for cross-account access instead of sharing credentials, regularly auditing and rotating IAM credentials, federating user identity for centralized authentication, and using condition statements in IAM policies for extra security checks.
What is the role of the AWS IAM policy simulator in managing permissions within an AWS environment?
The AWS IAM Policy Simulator is a tool provided by AWS that allows you to test the effects of IAM policies before actually applying them, ensuring that the right permissions are in place. It can simulate whether a particular set of permission policies will allow or deny access to different AWS services and actions by using existing policies, policy changes, or new policies. This helps in debugging and refining policies to ensure they are effective and secure, reducing the risk of inadvertently granting excessive permissions.
How does AWS CloudTrail complement IAM solutions in a complex AWS environment?
AWS CloudTrail is a service that provides governance, compliance, and audit capabilities by logging all AWS API calls and related events for an account. When used alongside IAM solutions, CloudTrail allows for detailed tracking of changes to policies and permissions, including who made the change, from where, and when. This enhances security and visibility in a complex AWS environment by creating an audit trail for IAM actions, which can be crucial for troubleshooting, security analysis, and compliance auditing.
What considerations should you keep in mind when using IAM roles in conjunction with AWS Lambda functions in a multi-account environment?
When using IAM roles with AWS Lambda in a multi-account environment, you should ensure that the Lambda function’s execution role has the necessary permissions to access the resources it needs while applying the principle of least privilege. This often requires carefully crafting the role’s policy statements. Also, if functions need to interact with resources in multiple accounts, you may need to configure cross-account access through role assumption. Keep in mind that Lambda functions assume the function’s execution role dynamically, and you should audit and adjust these permissions regularly to maintain security.
What strategies would you implement to standardize IAM roles and permissions across multiple accounts in an AWS Organization?
To standardize IAM roles and permissions across multiple AWS accounts, you could create baseline IAM roles that define the common permissions required by specific job functions or applications within the organization. These roles can be deployed across accounts using AWS CloudFormation StackSets or AWS Organizations. You should also use Service Control Policies (SCPs) to enforce IAM standards and constraints at the organization level. Additionally, using IAM Access Analyzer, you can review and validate that the policies you’ve set up across your organization align with your intent.
Explain how you can restrict IAM users from being able to terminate instances in certain environments, like production, while still allowing them in others, such as development or staging.
To restrict IAM users from terminating instances in certain environments while allowing them in others, you can use a combination of resource tags and IAM condition keys. Firstly, tag your instances according to the environment they belong to (e.g., production, development, staging). Then, create IAM policies that include condition blocks that check for these tags. For example, you would deny the “ec2:TerminateInstances” action if the tag “Environment” is set to “production”, effectively preventing users from terminating instances in the production environment. This same concept can also be implemented using Service Control Policies (SCPs) if the development and production environments are in separate AWS accounts within an organization.
Great post! I especially appreciated the section on Service Control Policies (SCPs).
Thanks for the detailed walkthrough on IAM roles. This is exactly what I needed for my preparation!
Does anyone have experience with setting up SCPs for a multi-account AWS environment?
I found the section on assuming roles between accounts very informative. Saved a lot of my preparation time!
This tutorial is excellent for understanding the exam objectives related to IAM and multi-account management.
I’m still a bit confused about SCPs and how they differ from AWS IAM policies.
This is so detailed and useful. Kudos to the author!
How can I test the effectiveness of my SCPs before applying them across accounts?