Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 15
- S3 – Cross Region Replication
Hey everyone and welcome back to the Knowledge Portal video series. Now today’s topic is Cross Region Replication. Now if you go in properties we are slowly, slowly covering lot of things like versioning lifecycle policies etcd. And today we will be specifically speaking about the Cross Region replication related feature. Now if you remember in the previous lecture we were speaking about the durability concept where if the region itself goes down then independent upon the availability and the durability that AWS offers, your object will not be accessible. So in this case, what you need is that if your objects are let’s assume are stored in US West region, you can replicate these objects in one more region like Mumbai. So in that scenario, what will happen is even if the entire region goes down, you still have the same objects in one more region like Mumbai which are geographically apart.
Now, along with this, there is one important thing to remember as far as S three is concerned that by default the objects that you create in the bucket, which is in the specific region, the object will never leave that region. So if this is the bucket in the Oregon region and whatever objects that you create inside this, they will by default will never leave outside this particular region. So this is one important thing to remember. So that is one of the default scenarios. So in order to demonstrate the Cross region replication, let’s go ahead and create two buckets. So what I’ll do? I’ll say KP Labs, region One. In our case let’s have Oregon as a region and I’ll click on Create. Okay.
Now. Along with that, I’ll create one more bucket. KP Labs Region Two And this time I’ll create it in Mumbai and I’ll select create. Perfect. So now we have two buckets created in two different regions. What we will be demonstrating in today’s scenario is that when we upload some object over here, the same object will be replicated to the second bucket which is present in the different region. So the first important thing to remember is that Cross Region replication needs versioning to be enabled as a mandatory thing. So very first thing that we’ll do is we’ll enable the versioning in both the buckets because this is one of the mandatory requirements. Perfect. Now I’ll select the first bucket which is in Oregon region. I’ll go to Properties Management Replication and I’ll click on Add Rule.
So if you will see it is Cross Region replication that you will see I’ll select Add Rule. The source will be all the contents within this bucket. I’ll select next. Now it is asking for the Destination bucket. Destination Bucket you can either select in your AWS account or in different AWS account as well. So for our case it will be the same AWS account and I’ll select the bucket name which is region Two. Now you can also change the storage colors for the replicated object this is again a great feature. Now, in the source s three bucket, if by default you are storing all the objects as standard storage class in the destination bucket where your objects are getting replicated, in order to save your cost, you can either choose IA or reduce redundancy. So let me select standard Ie for our demo purpose.
Now you need to select the IAM role. I’ll click on create a new role. So what this im role basically does is it allows the bucket to transfer the objects to the destination s three bucket. So I’ll click on save. Let’s wait. Perfect. So our replication rule is created. So let’s try this out. Let me go here and let me upload a file. Let’s upload Finance THC again and I’ll select upload perfect. So this file has been uploaded in this bucket. Now let’s go to the second bucket. And if you will see in the second bucket, the file is present. So let’s try a few more things. Let me create a folder. I’ll name this test folder. I’ll click on save. Now if I go to the and click on Refresh, you will see the contents are getting replicated.
Now, one more thing that you will see over here the objects that we are uploading the storage class is standard. However, the objects which are replicated, the storage class is automatically changed to standard hyphen IA. So this is the basic about the cross region replication. Now one important thing to remember is that if you are choosing an existing bucket where the contents are already present, then during cross region replication, the older contents will not be replicated. Only the new contents that you will be uploading will be replicated. So this is yet another important thing to remember. So this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture. It’s.
- IAM Permission Boundaries (New)
Hey everyone and welcome back. In today’s video we will be discussing about the IAM permission boundaries. Now a permission boundary is an advanced feature in which we can use a managed policy to set the maximum permission that identity based policy can grant to the IAM entity. Now, when you set a permission boundary for a specific entity, the entity can perform only the actions that are allowed by both the identity policies and its permission boundaries. So this is very important for us to understand. In fact, by definitive terms it might be a little confusing. So let’s directly jump into the practical so that this becomes easy for us to understand. So I’m in my AWS console, let’s go to the IAM, we’ll go to the users and I’ll click on add a user.
So let me call it as kplab’s demo user. I’ll give him a programmatic access. Let’s click on next. Great. So the user is created, I’ll copy the access and secret key associated with the user. And what I’ll do, I’ll run the AWS configure command, I’ll copy the access key and I’ll copy the secret key as well. So you’ll see that there were certain pre configured access and secret key. Basically for our demo we generate a lot of access and secret key and I have to deactivate them immediately because otherwise there are a lot of interesting people who will use that. So anyways, the default region I’ll use as US east one and the accent secret key has been configured great. So coming back to the console we’ll go ahead and click on close. So we have a user called as Kplabs demo.
Now within here you see there are two tabs which are available. One is the permission policies and second is the permission boundaries. So let’s do one thing, let’s click on permission boundary and we’ll set a boundary over here. So boundary is basically it is a boundary and outside of the boundary a user cannot do anything. So we’ll understand this with a simple example. So let’s say I give a boundary called S three full access, all right? So this is the boundary which we have given to the user KP lapse demo. So this is the highest level of access that a specific user can attain. Now even, let’s say even if I give him an administrator access over here, let’s go ahead and give him an administrator access, all right? So even if I give him an administrator access and if the permission boundary states that a specific user cannot go out of the S three full access, then the permission boundary will be adhered to.
Let’s look into this. So within my CLI let’s do an AWS S three LS. You see you are able to see all the S three buckets which are available. Now let’s do AWS, easy to describe instances and here you see it is basically giving you unauthorized operation. Now the reason why it is giving you unauthorized operation is because there is a permission boundary set. And the permission boundary states that irrespective of what access is given to a user, he is bounded to a boundary which is being set. Now, if I go ahead and remove the permission boundary, so now you only have the administrator access. So let’s go ahead and do an easy to describe instances now. And you see, you are able to see the list of instances which are available.
So I hope you understood at a high level overview on what the permission boundary does. And it is very important that you set the permission boundary. In fact, this is a great feature which AWS has implemented. Now, before we conclude, let me quickly show you a few interesting things. I’ll remove the policy over here. All right, let’s go to the permission boundary. We’ll go ahead and set a boundary. So here let’s put S three full access. I’ll click on set boundary. So now you have the S three full access. So here it is important to remember that permission boundary by itself does not give the permission. Permission boundary is just the highest level of access that a user can have. It just sets the boundary for the access control. It does not give the access access is given by the permission policies.
So let me show you if you do a database sCLs now, you see, it is giving you the access denied. So the permission boundary just sets the boundary. It does not give the work of access control. The entire control related to what a user can access goes through the permission policies. Now, if you’re interested, because currently you only have S three full access over here, you might need to have a granular permission boundary. So in that case, currently if you see, if you click on change the permission boundary, you can select just one. You cannot select multiple ones. In case if you want to have a multiple or a granular permission boundary, you can go ahead and you can create a policy. So this is the policy. Let’s click on the policy over here. Let’s say this time we’ll give both the S three access. I select all the S three actions.
Let’s review this policy. We forgot to add a resource. I’ll say all the resources. All right, now, if you go to the JSON, you can modify this. So let’s say we want to give S three. We also want to add up the Cloud Watch. All right, I’ll add a comma. We added an extra comma over here. All right? So now let’s name our policy. I will say demo permission boundary and I’ll click on create a policy. All right, so our demo permission boundary policy has been created. Let’s go back to our KPL apps demo user. So now this is the KPL apps demo user. We’ll change the permission boundary. So let me type a demo. So you have the demo permission boundary and I’ll change the permission boundary as that all right.
So this is how you can create your own custom permission boundary. So I hope at a high level overview you understood what the IAM permission boundaries are all about. So there are certain very important pointers that you need to remember both for your real world scenarios as well as for the exams. Now, first important part to remember is the effective permission. So the effective permission for an entity are the permissions that are granted by all the policies associated with the user role or account. Now, within an AWS account the permission for a specific entity can be affected by the identity based policies, by the resource based policies, by the permission boundaries and even by the organization SCPs or the session policies.
So let’s say in this diagram you have three type of policies you have the Organization SAP, you have the permission boundary and you have the identity policies. So the effective permission over here is dependent upon all of them. Let’s say that organization policy says as deny and permission boundary and identity policy allows it. So the effective permission would be denied. Very important to remember any explicit deny in either one of these. It can be Organization SCP, permission boundary, resource policies, et cetera. Any explicit deny is the final deny. So let’s say if you have a deny in permission boundary and you have allow in SCPN identity based policies, the effective permission would be denied over here. All right? So I hope you understood. What exactly do you mean by evaluating the effective permission with boundaries in exams?
You might get a question saying that the permission boundary is allowing the identity based policy has allowed. However the Organization SCP is not allowing. So what would be the final permission? What will the user be able to do? Whether he’ll be able to perform the operation or he’ll not be able to perform the operation and if Organization SCP is not allowing then the user will not be able to perform the operation. Similarly, you might get a use case saying that the user has an identity based policy of allow. He has a permission boundary of Allow. Still the user is not being able to call the specific services API call what might be the issue. So they then the issue can be the organization.
- Troubleshooting IAM Policies
Hey everyone, and welcome back. Now, some of the next few videos will be dedicating it for troubleshooting the IAM policies. Now, we have been learning various aspects related to im, and it is important for us to understand the troubleshooting aspect of IAM policies because this is important for exams. So the purpose of this video is to take a list of items I am policies and troubleshoot them to understand why they do not work. Now, for our demo purposes, we’ll take example of five policies which does not work as intended. Now, I’m in my item editor here and I have a file called troubleshoot JSON. Now, this file basically has five distinct policies. So you have policy three. Here you have policy four, and you have policy five.
Now, each of this policy basically will teach you a different thing about im. So it is important for us to understand more about why these policies do not work. So what we’ll do is we’ll conclude the video. Now, I’ll be pasting these policies after the video so that you can go ahead and try each of these policies within your IAM policy editor and figure out why it would not work. Now, do not worry if you do not get all of these five policies to be working. There are some policies which are a little tricky. So let’s do one thing. Let’s conclude this video, and after I share this document, we’ll have another session where we go ahead and we look into the solution associated with each of these IAM policies.
- Troubleshooting Answers – Solution 01
Hey everyone and welcome back. Now in today’s video we will go ahead and look into the solutions associated with the policies that we had shared during the troubleshooting session. Now let’s look into the policy one over here. Now, before we go ahead and troubleshoot, let’s copy this policy and within the Im console let’s click on new inline policy and within the JSON will go ahead and paste the policy here. So let me also maximize the screen so it becomes easier for us to understand what is happening here. Now, this is a very simple policy which basically allows action of star on resource of example bucket and you have one more resource of example bucket slash star. Now, when you do a review policy, it says that this policy contains the following JSON error could not format the policy.
Now, generally, whenever you are troubleshooting the IAM policy, first thing, verify whether the JSON is correct. Now, within Google you can do JSON validator. Let’s open up the validator here. So this is quite famous. Let’s copy this policy, let’s paste it here and let’s validate the JSON. Now here it clearly says that syntax error, duplicate key resource on line six. All right, so this gives you much more better information than what you would see within the Im console over here. Now, what is happening over here is that you have a key of resource and you have a value associated with it. Now again, you are defining the same key and you are adding one more value associated with it. So it is saying that you have a duplicate key.
So you have to make sure that while you are writing the policy, make sure that the keys are not duplicate. So now what you can do is you can remove this duplicate key which is resource in this case, all right? And now you have two resources which are available over here. But even if you go ahead and validate here, it gives you an error. Now, whenever you have multiple actions, you can put it in an array. So let’s add an array here and as soon as you do a validate, it says valid JSON. Now, a simple example of array. Let me quickly show you. So let’s consider that I have this one pen. Now, I can hold this pen perfectly well, but when I have 20 or 30 pens over here, what I do, I put it in a box, all right? I put everything in a pencil box here.
Similarly, you can consider that whenever you have more than one resource or more than one action, you can put it in a placeholder or a box. So this is what array refers to, all right? So this is a very simplistic explanation. So simple thing to remember, whenever you have multiple definitions that you want to put, always add it within an array. So let’s copy this up. And within the IAM policy, I’ll put this statement let’s do a review and you see it works perfectly well. Now let’s go back. Now, one of the things that also some of the individuals might quickly detect, although that is not true, is that a version element is missing over here. Now, one important part to remember is that even though you have not specified version element, as we have already discussed, your im policy will default to the version of 2008.
So it is perfectly well that you do not specify version element with respect to your policy not failing. All right. So I hope you understood the solution associated with the first policy. So there were a few issues. First is that there was a duplicate key. Second was that we had to put these items within an array. And third important learning that we experienced that always validate a JSON policy with an external JSON validator as well, because that will give you a much more clear error log into what is the issue associated with the policy. So with this, we will conclude this video. I hope this video has been informative for you and I look forward to seeing in the next video.