Advanced Concepts
Last updated
Last updated
If there is explicity DENY in IAM then deny.
If there is explicity ALLOW in IAM then allow.
Else DENY
A dynamic policy is an IAM policy that uses special policy variable like ${aws:username}.
Maintained by AWS.
Good for power users and administrators.
Updated in case of new services/ new APIs.
Strict one to one relationship between policy and principal.
Policy is deleted, if you delete the IAM principal.
Inline policy is attached basically directly to user.
Inline policy has limit of 2KB of policy json size.
Best practice, re-usable can be applied to many principals.
Version controlled, can be rollbacked with central change management.
You must pass a role to AWS service, which happens only once when configuring AWS services.
The service later assume the role and perform actions.
For this you need the IAM permission iam:PassRole action.
If often comes with iam:GetRole to view the role being passed.
Any role cannot be passed to this iam:PassRole, it can only passed based on what their trust allows i.e., based on trust relationship.
A trust policy for a role indicates for which service, the role can be assumed.
This allows to use one policy to be applied to multiple user as given in below example.
An example,
Trust policy is just a policy document, as shown below.
