Open main menu
Freephile Wiki

Changes

AWS Solutions Architect/training/Section 3: Identity Management and Permissions (view source)

Revision as of 16:28, 9 February 2024

772 bytes added ,  9 February
no edit summary
Steps for authorizing Requests to AWS - which may come from the Console, the CLI, or via an API
# Authentication# Processing the '''request context''' of ## Actions ## Resources ## Principal ## Environment data ## Resource data# Evaluating all policies within the account (both identity-based and resource-based)# Determining whether a request is allowed or denied
Types of Policies
* Identity-based policies - attached to Users, Groups, or Roles* Resource-based policies - attached to resource; define permissions for a principal accessing the resource.* IAM Permission boundaries - set the maximum permissions an identity-based policy can grant an IAM entity* AWS Organizations service control policies (SCP) - specify the maximum permissions for an organization or OU* Session policies - used with the AssumeRole* API actions
The '''effective''' permissions are the superset union of the two policies, <math display="block">A \cup B</math> when combining an Identity-based policy with a Resource-based policy. But, are only the '''intersection''' <math display="block">A \cap B</math> when combining with Permissions boundary or Organizations SCP<ref>https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics-id-rdp</ref>
28. IAM Policy Structure
30. [HOL] Using Attribute-Based Access Control (ABAC)
 
Roles are '''assumed''' by users, applications and services.
 
Policies are JSON and may be either Identity based, or Resource based.
 
Authentication methods: password + optional MFA token; Access Key + Secret Access Key; X-509 Certificate
 
AWS Security Token Service (STS) sts:AssumeRole returns temporary security credentials.
 
Multi-Factor Authentication
;Something you '''know'''
;Something you ''' have'''
;Something you '''are'''
 
A Trust Policy is also an example of a resource-based policy.
 
A Permissions Policy is an identity-based policy.
31. [HOL] Apply Permissions Boundary
 
With Permissions Boundary, you can prevent escalation of privileges.
32. Use Cases for IAM Roles
 
cross-account access and 3rd-party access
33. [HOL] Cross-Account Access to S3
36. AWS IAM Best Practices
 
 
 
{{References}}<references />
[[Category:AWS]]
Retrieved from "https://wiki.freephile.org/wiki/Special:MobileDiff/10601...10615"