Advanced Concepts

Authorization Model

  • If there is explicity DENY in IAM then deny.

  • If there is explicity ALLOW in IAM then allow.

  • Else DENY

Evaluation Model

Dynamic policies with IAM

  • A dynamic policy is an IAM policy that uses special policy variable like ${aws:username}.

  • This allows to use one policy to be applied to multiple user as given in below example.

Policy Types

Managed

  • Maintained by AWS.

  • Good for power users and administrators.

  • Updated in case of new services/ new APIs.

Inline

  • Strict one to one relationship between policy and principal.

  • Policy is deleted, if you delete the IAM principal.

  • Inline policy is attached basically directly to user.

  • Inline policy has limit of 2KB of policy json size.

Customer Managed

  • Best practice, re-usable can be applied to many principals.

  • Version controlled, can be rollbacked with central change management.

Grant User Permission to pass role

  • You must pass a role to AWS service, which happens only once when configuring AWS services.

  • The service later assume the role and perform actions.

  • For this you need the IAM permission iam:PassRole action.

  • If often comes with iam:GetRole to view the role being passed.

  • An example,

  • Any role cannot be passed to this iam:PassRole, it can only passed based on what their trust allows i.e., based on trust relationship.

    • A trust policy for a role indicates for which service, the role can be assumed.

    • Trust policy is just a policy document, as shown below.

PreviousResponsibility ModelNext01_EC2

Last updated