# Advanced Concepts

## Authorization Model

* If there is explicity `DENY` in IAM then deny.
* If there is explicity `ALLOW` in IAM then allow.
* Else `DENY`

![Evaluation Model](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-cf5c614d5d807b7b35264f42e9e1faa1c36d48c0%2FEvaluationModel.png?alt=media)

## Dynamic policies with IAM

* A dynamic policy is an IAM policy that uses special policy variable like `${aws:username}`.
* This allows to use one policy to be applied to multiple user as given in below example. ![Dynamic Policy Example](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-2bcdf910ca52d1976a7a3c2ce7fd48455990d8af%2FDynamicPolicy.png?alt=media)

## Policy Types

### Managed

* Maintained by AWS.
* Good for power users and administrators.
* Updated in case of new services/ new APIs.

### Inline

* Strict one to one relationship between policy and principal.
* Policy is deleted, if you delete the IAM principal.
* Inline policy is attached basically directly to user.
* **Inline policy has limit of 2KB of policy `json` size**.

### Customer Managed

* Best practice, re-usable can be applied to many principals.
* Version controlled, can be rollbacked with central change management.

## Grant User Permission to pass role

* You must pass a role to AWS service, which happens only once when configuring AWS services.
* The service later assume the role and perform actions.
* For this you need the IAM permission `iam:PassRole` action.
* It often comes with `iam:GetRole` to view the role being passed.
* An example, ![IAM Pass Role](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-4590491c13b9dbf7dd2887c2017cf8d00664d82f%2FIAM_PassRole_Example.png?alt=media)
* Any role cannot be passed to this `iam:PassRole`, it can only passed based on what their **trust** allows i.e., based on trust relationship.
  * A trust policy for a role indicates for which service, the role can be assumed.
  * Trust policy is just a policy document, as shown below. ![Trust Policy IAM Role](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-6465e29298236297361446c207823e87f507903e%2FTrustPolicy_IAM_Role.png?alt=media)