Tutorial / Cram Notes
As it allows for the management of access to AWS services and resources securely. There are different policies within IAM that enable fine-grained access control. Here, we discuss various IAM policy types, including managed policies, inline policies, identity-based policies, resource-based policies, and session control policies, to help prepare for the AWS Certified Security – Specialty (SCS-C02) exam.
Managed Policies
Managed policies are standalone IAM policies that can be attached to multiple IAM entities (users, groups, and roles) within an AWS account. There are two types of managed policies:
- AWS Managed Policies: These are created and managed by AWS. They are designed to provide permissions for common use cases and are updated automatically when AWS resources and services change.
- Customer Managed Policies: These are created and managed by users. They offer more flexibility and control to define resource permissions that fit specific requirements.
Example: To grant a user full access to EC2, you could attach the AWS managed policy AmazonEC2FullAccess.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:*”,
“Resource”: “*”
}
]
}
Inline Policies
Inline policies are policies that are directly embedded within an IAM role or user. Unlike managed policies, inline policies are not standalone and cannot be shared between IAM entities. They are primarily used for ensuring that a policy is strictly attached to a single IAM entity, providing a one-to-one relationship between a policy and an IAM entity.
Example: An inline policy to allow a user to only start or stop EC2 instances might look like this:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:StartInstances”,
“ec2:StopInstances”
],
“Resource”: “*”
}
]
}
Identity-Based Policies
Identity-based policies are attached to IAM identities, such as users, groups, or roles. These policies are used to grant permissions to an identity to perform actions on AWS resources.
Example: An identity-based policy that grants read-only access to a specific S3 bucket named my-bucket:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::my-bucket/*”
}
]
}
Resource-Based Policies
Resource-based policies are attached directly to the resource rather than to a user or role. These are also known as resource policies and grant other accounts or IAM entities to access that particular resource.
Example: An S3 bucket policy allowing public read access to all objects in the bucket:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::my-public-bucket/*”
}
]
}
Session Control Policies
Session control policies allow for controlling permissions for federated users or IAM roles being assumed. These can include policies that limit session duration or apply conditions to the session, such as a requirement for MFA (multi-factor authentication).
Example: A session policy that requires an MFA authenticated user and limits the session to a maximum of one hour:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AllowLimitedDuration”,
“Effect”: “Allow”,
“Action”: “*”,
“Resource”: “*”,
“Condition”: {
“NumericLessThan”: {
“aws:MultiFactorAuthAge”: “3600”
}
}
}
]
}
Understanding the nuances of different IAM policies will be fundamental in managing AWS security effectively and is crucial for those looking to acquire the AWS Certified Security – Specialty certification. It is important not only to know what each policy type does but also when and where to apply them appropriately in various scenarios in AWS environments.
Practice Test with Explanation
True or False: Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account.
- True
Answer: True
Explanation: Managed policies are standalone, reusable policies in AWS that can be attached to multiple IAM identities (users, groups, and roles).
True or False: Inline policies are policies that are embedded directly into a single user, group, or role.
- True
Answer: True
Explanation: Inline policies are policies that are directly attached to a single IAM entity and are not reusable independently.
Which of the following types of IAM policies are defined at the AWS account level and can be used to manage permissions across all resources in the account? (Select ONE)
- A) Managed policies
- B) Inline policies
- C) Identity-based policies
- D) Resource-based policies
Answer: C) Identity-based policies
Explanation: Identity-based policies can be managed or inline and are defined at the AWS account level. They can manage permissions across all or selected resources within the account.
Resource-based policies are attached to which of the following? (Select ONE)
- A) IAM user
- B) AWS resource
- C) IAM group
- D) IAM role
Answer: B) AWS resource
Explanation: Resource-based policies are attached directly to AWS resources, giving permissions to principals (users or roles) from potentially any account.
True or False: Permission boundaries set the maximum permissions that an identity-based policy can grant to an IAM entity.
- True
Answer: True
Explanation: Permission boundaries are used to control the maximum permission that an IAM role or user can have.
In IAM, what is the effect of a session policy? (Select ONE)
- A) It grants permissions to an AWS service.
- B) It sets permission boundaries for an AWS session.
- C) It restricts permissions within a particular AWS session.
- D) It defines the maximum permissions for user federations.
Answer: C) It restricts permissions within a particular AWS session.
Explanation: Session policies limit permissions for a session, which is created by assuming an IAM role or federating a user.
True or False: A single IAM user can be attached to multiple managed policies, but a managed policy can only be attached to one IAM user at a time.
- False
Answer: False
Explanation: A managed policy can be attached to multiple IAM users, groups, or roles at the same time.
What is the primary difference between managed policies and inline policies? (Select ONE)
- A) Managed policies can be versioned; inline policies cannot.
- B) Managed policies are JSON documents; inline policies are in XML format.
- C) Managed policies are enforced by AWS; inline policies are advisory.
- D) Managed policies apply to resources; inline policies apply to identities.
Answer: A) Managed policies can be versioned; inline policies cannot.
Explanation: One of the key features of managed policies is the ability to have different versions of the policy. Inline policies do not support versioning.
Which policy type enables cross-account access to resources in AWS? (Select ONE)
- A) Identity-based policies
- B) Resource-based policies
- C) Managed policies
- D) Inline policies
Answer: B) Resource-based policies
Explanation: Resource-based policies, such as those attached to an S3 bucket or an AWS Glue database, can define cross-account access permissions for those resources.
True or False: Role-based access control (RBAC) in AWS is entirely managed through the use of IAM roles and policies.
- True
Answer: True
Explanation: In AWS, RBAC is achieved by creating IAM roles with specific policies attached and then assigning those roles to users, groups, or services needing those permissions.
Interview Questions
Can you explain the difference between managed policies and inline policies in AWS IAM?
Managed policies are standalone IAM policies that you can attach to multiple users, groups, or roles within your AWS account. They are maintained by AWS (AWS Managed Policies) or by an account administrator (Customer Managed Policies). Inline policies, on the other hand, are policies that are embedded directly into a single user, group, or role. They cannot be shared and are strictly used to apply permissions to that specific entity. Managed policies are recommended for reusability and easier management, whereas inline policies are used for strict one-to-one relationships between policy and principal.
What is the primary benefit of using identity-based policies in AWS IAM?
The primary benefit of using identity-based policies is the ability to directly attach permissions to an IAM user, group, or role. These policies control what actions the identity can perform, on which resources, and under what conditions. Identity-based policies offer fine-grained access control and are used to enforce permissions at the user or role level in AWS.
What are resource-based policies in AWS, and how do they differ from identity-based policies?
Resource-based policies are attached to AWS resources themselves, not to IAM identities. They specify who has permissions to access that resource and the actions they can perform. Unlike identity-based policies, resource-based policies provide a way to specify access permissions directly on the resource and are used mainly for cross-account access or to set permissions on resources like S3 buckets or KMS keys.
How do session policies affect temporary security credentials in AWS IAM?
Session policies are advanced policies that you pass as parameters when you programmatically create a session for a federated user or when you assume an IAM role. They are used to further restrict the permissions for the session beyond what is granted by the user’s or role’s identity-based policies. Session policies help to provide granular, temporary permissions that are ideal for short-term access requirements.
Can you provide an example of when you would use a managed policy over an inline policy?
A managed policy would be preferable when you have a common set of permissions that need to be applied to multiple users, groups, or roles. For example, if several administrators need similar permissions to manage EC2 instances, you would create a Customer Managed Policy with the required permissions and attach it to each administrator role. This approach ensures consistent permission management and simplifies policy updates.
What is the significance of policy evaluation logic in IAM and how does it impact policy enforcement?
Policy evaluation logic is crucial as it determines the outcome of a permission decision when multiple policies apply. AWS evaluates all policies (identity-based, resource-based, session policies, SCPs) and grants permission only if every policy allows the action. If any policy explicitly denies an action, it supersedes any allow statements and the overall result is a denial, reflecting the “default deny” principle in IAM.
Why might you choose to use resource-based policies rather than identity-based policies for an S3 bucket?
Resource-based policies, specifically S3 bucket policies, are useful when you want to define permissions across multiple accounts or to the public. For example, if you need to grant read access to an S3 bucket for users in a different AWS account, using a bucket policy allows you to specify those permissions directly on the S3 bucket rather than managing cross-account roles or identity-based policies.
In what scenario would you find it necessary to use IAM session control policies?
Session control policies are particularly useful when you want to limit the permissions or conditions of a role session. They come into play, for instance, when providing access to a third-party contractor or using federated user sessions where you need to enforce restrictive permissions tailored to a specific job function or time period, ensuring the principle of least privilege is adhered to.
How can you leverage AWS managed policies to expedite the process of granting common permissions?
AWS managed policies are predefined by AWS and are designed to facilitate common use cases by providing a ready-made set of permissions. Administrators can quickly attach these policies to new users, groups, or roles to grant necessary permissions without manually creating policies, thus saving time and reducing the potential for errors in policy definition.
Describe a scenario where inline policies would be crucial despite the administrative convenience of managed policies.
Inline policies are crucial when you need to ensure that permissions are tightly bound to a specific IAM user, group, or role and when those permissions must not be inadvertently detached or reattached elsewhere. For example, when dealing with highly sensitive resources or actions, you would use an inline policy to control the exact permissions and reduce the risk of them being shared or modified outside of the intended scope.
How do permissions boundaries differ from standard IAM policies, and when would you use them?
Permissions boundaries are an advanced feature in IAM that allows you to create and enforce a maximum permission boundary for an IAM user or role. It effectively defines the maximum permissions that the entity can have, regardless of what permissions are actually assigned to that entity. You would use permissions boundaries when you want to delegate permission management to developers or other administrators but need to ensure they don’t grant excessive permissions beyond the scope of their authority.
Explain what conditions in IAM policies are and provide an example of a useful condition you could apply to a policy.
Conditions in IAM policies allow you to specify the circumstances under which a policy grants or denies permissions. They can include date/time, IP address, MFA authentication, and various AWS-specific keys. For example, you could add a condition to a policy that only allows actions if the request comes from a particular CIDR range (IP address range), or if Multi-Factor Authentication (MFA) is enabled, enhancing the security of your AWS environment.
Thanks for this informative post on IAM policies, it really helped clarify different types of policies.
Can someone explain the key difference between managed policies and inline policies?
Managed policies provide reusability and ease of management, especially when you need to apply the same permissions to multiple entities.
Inline policies can be useful for specific, granular control, but they can become harder to manage over time due to lack of centralization.
What about identity-based policies and resource-based policies? How do they differ?
This blog post is a gold mine for those preparing for the AWS Certified Security – Specialty exam.
Session control policies seem complex. Can anyone break down their use cases?
I think resource-based policies are a better choice for granting cross-account access.