Difference between revisions of "AWS Solutions Architect/training/Section 3: Identity Management and Permissions"
(Add math notation for Union and Intersection) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 35: | Line 35: | ||
Steps for authorizing Requests to AWS - which may come from the Console, the CLI, or via an API | Steps for authorizing Requests to AWS - which may come from the Console, the CLI, or via an API | ||
| − | # Authentication | + | #Authentication |
| − | # Processing the '''request context''' of | + | #Processing the '''request context''' of |
| − | ## Actions | + | ##Actions |
| − | ## Resources | + | ##Resources |
| − | ## Principal | + | ##Principal |
| − | ## Environment data | + | ##Environment data |
| − | ## Resource data | + | ##Resource data |
| − | # Evaluating all policies within the account (both identity-based and resource-based) | + | #Evaluating all policies within the account (both identity-based and resource-based) |
| − | # Determining whether a request is allowed or denied | + | #Determining whether a request is allowed or denied |
Types of Policies | Types of Policies | ||
| − | * Identity-based policies - attached to Users, Groups, or Roles | + | *Identity-based policies - attached to Users, Groups, or Roles |
| − | * Resource-based policies - attached to resource; define permissions for a principal accessing the resource. | + | *Resource-based policies - attached to resource; define permissions for a principal accessing the resource. |
| − | * IAM Permission boundaries - set the maximum permissions an identity-based policy can grant an IAM entity | + | *IAM Permission boundaries - set the maximum permissions an identity-based policy can grant an IAM entity |
| − | * AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization or OU | + | *AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization or OU |
| − | * Session policies - used with the AssumeRole* API actions | + | *Session policies - used with the AssumeRole* API actions |
| − | The '''effective''' permissions are the | + | The '''effective''' permissions are the union of the two policies, <math display=block>A \cup B</math> when combining an Identity-based policy with a Resource-based policy. But, are only the '''intersection''' <math display=block>A \cap B</math> when combining with Permissions boundary or Organizations SCP<ref>https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics-id-rdp</ref> |
28. IAM Policy Structure | 28. IAM Policy Structure | ||
| Line 62: | Line 62: | ||
31. [HOL] Apply Permissions Boundary | 31. [HOL] Apply Permissions Boundary | ||
| + | |||
| + | With Permissions Boundary, you can prevent escalation of privileges. | ||
32. Use Cases for IAM Roles | 32. Use Cases for IAM Roles | ||
| Line 72: | Line 74: | ||
36. AWS IAM Best Practices | 36. AWS IAM Best Practices | ||
| + | |||
| + | |||
| + | <references /> | ||
[[Category:AWS]] | [[Category:AWS]] | ||
Revision as of 09:36, 8 February 2024
17. Introduction
18. How IAM Works
19. Overview of Users, Groups, Roles and Policies
20. IAM Authentication Methods
21. AWS Security Token Service (STS)
22. Multi-Factor Authentication (MFA)
23. [HOL] Setup Multi-Factor Authentication (MFA)
24. Identity-Based Policies and Resource-Based Policies
25. Access Control Methods - RBAC & ABAC
Users are assigned permissions through policies attached to groups. There are AWS managed policies for job functions designed to closely align to common job functions in the IT industry.
Groups are organized by job function.
Best practice is to grant the minimum permissions required to perform the job (principal of least privilege).
Attribute-Based Access Control (ABAC) can be based on "Tag Key" Department, "Tag Value" DBAdmins. Tags can be applied to people and resources, so the policy can check for both.
26. Permissions Boundaries
A permission boundary policy can limit the permissions that are otherwise granted via groups, roles or directly.
27. IAM Policy Evaluation
Evaluation logic starts with 'Deny'. There is a flow diagram at the AWS IAM UserGuide policies evaluation logic docs
Steps for authorizing Requests to AWS - which may come from the Console, the CLI, or via an API
- Authentication
- Processing the request context of
- Actions
- Resources
- Principal
- Environment data
- Resource data
- Evaluating all policies within the account (both identity-based and resource-based)
- Determining whether a request is allowed or denied
Types of Policies
- Identity-based policies - attached to Users, Groups, or Roles
- Resource-based policies - attached to resource; define permissions for a principal accessing the resource.
- IAM Permission boundaries - set the maximum permissions an identity-based policy can grant an IAM entity
- AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization or OU
- Session policies - used with the AssumeRole* API actions
The effective permissions are the union of the two policies, [math]A \cup B[/math] when combining an Identity-based policy with a Resource-based policy. But, are only the intersection [math]A \cap B[/math] when combining with Permissions boundary or Organizations SCP[1]
28. IAM Policy Structure
29. [HOL] Using Role-Based Access Control (RBAC)
30. [HOL] Using Attribute-Based Access Control (ABAC)
31. [HOL] Apply Permissions Boundary
With Permissions Boundary, you can prevent escalation of privileges.
32. Use Cases for IAM Roles
33. [HOL] Cross-Account Access to S3
34. Access Keys and IAM Roles with EC2
35. [HOL] Amazon EC2 Instance Profile
36. AWS IAM Best Practices
