Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 16

44. Troubleshooting Answers – Solution 02

Hey run and welcome back. Now, in the previous video we looked into the troubleshooting solution associated with the policy one. Now in today’s video we’ll dedicate it with the policy two over here. All right? So let’s do one thing. Let’s copy this policy and within the Im console let’s go ahead and paste it over here. Now, once I do that, let’s click on review. And now you see it is not giving us any error. Now, one of the things that might be expected was that the policy will give an error and then only it will be considered as not working. However, that is not the case. Let’s look into the example. So let’s call it as policy zero two and let’s create a policy. Now, one important part to remember is that although the policy was successful so the reason why policy was successful primarily because your JSON was perfectly well.

However, this does not really mean that the things that you have defined within the policy will work as intended. Now, within this policy under the action you see that you have an access key. That basically means that there is an effect of allow of working with the operations related to access key like creation of access key, deletion of access key and so on. And you have a resource which is defined over here. Now, let’s do one thing. Let’s go to the in section from the Alice user so that we can understand on what is happening now within here. Since Alice user does not really have any permission other than the access secret key, you will get a lot of errors over here. Now, one quick way in which you can quickly go to the Alice user is to copy the path.

So if you look into the URL here within the users you have the Alice user which is present over here. So let’s copy this URL and let me quickly paste it over here. And currently you are under the security credentials section of the Alice user. Now, within the access keys over here it says that you need permission and it is showing as access denied. However, within the policy you have clearly allowed the user to have all the actions associated with the access key. Now, if you look into the resource section over here within the resource section you are making use of a policy variable and this is the reason why you are getting an error over here. Now, if you would have to replace this specific policy variable with a static name of the IAM user, let’s try this out now let’s refresh this page and nowyou see it is showing the active access key.

You can go ahead and also create an access key over here. So the issue was related to policy variable. Now, removing the policy variable and replacing it with a static is not the best of solution because it might happen that it would be a managed policy which would be attached to multiple users. So we have to look into a better solution. And a better solution is to explicitly specify a version element. Here, if you do a version element on IAM, let’s open up the documentation. You see that there are two versions which are available. One is 2012, and second is 2008. Now, as we even discussed earlier, because in the earlier policy as well, we had never explicitly defined a version element. Now, if you do not explicitly define a version element, it will go to 2008, all right? So it will go to this 2008 version.

And this specific version does not support policy variable. So in order for you to make use of Policy variable, you will have to explicitly make use of the 2012 version element. So let’s copy this up and let’s go to edit Policy. And this time we’ll specify a version element here. Now, along with that, let’s replace this with a policy variable. So we’ll undo the change that we had done, let’s click on Review and we’ll save the change. So now we have a policy variable and we have explicitly defined a version element to be 2012, where the policy variable is supported. So to quickly verify if things are working, let’s quickly refresh the page and as expected, you are able to see the key. Let’s make it inactive to verify if things are working.

You see things are working, you can even go ahead and delete the keys. All right, so I hope you understood the solution associated with the policy too. We learned a few things. First is adding a policy without any error does not really mean that it works as intended. That was the first thing. Second thing was if you do not add a version element, it will go to 2008. And 2008 does not support various things, including policy variable. And third thing is how we can go out and explicitly define a version element to an existing policy. So that’s about it for today’s video. I hope this video has been informative for you and I look forward to seeing the next video.

45. Troubleshooting Answers – Solution 03

Hey everyone and welcome back. Now in today’s video we will look into the solution associated with the policy three. Now, I would say that policy three is one of the most tricky policy among all of the five policy that we are discussing. So let’s do one thing. Let’s copy this policy up and first verify with the JSON validator if the JSON itself is correct. Now it says validator. Now, if you look into this policy, it is a very straightforward policy where you have an effect of allow action of cloud front and you are specifying a resource where ARN is ARN AWS cloud Front colon star. So you have specified a star over here. Now let’s do one thing. Let’s copy this up and within the Im console, let’s create a new inline policy and I’ll paste it here. Let me also maximize the screen. Now, if I do a review policy over here, here it clearly states that the following resources are invalid. They must either be star or an ARN pattern of ARN AWS cloud Front star.

Now, we are already doing this or section over here. If you see we are already doing this or section in here. However, it is giving an error still. Now, the reason why you are getting this error is because of the unsupported action associated with the resource element. Now this is one important part to remember, although you might not really see such examples for exams. However, it is important for us to know this because you will encounter this issue specifically while you’re working with production environments. Now, if you open up the documentation here now associated with each action that you see over here, you also have a resource types. Now, within year you see that there are no specific resource types which are configurable here. That basically means that you will have to make use of a star. So if I go ahead and make use of a starover here and do a review, it works perfectly well.

Now, whenever you are working with the policies, let’s take an example of an auto scaling policy here. So for the auto scaling policy you see that for following actions now it also depends upon the action. Now for the following six actions over here, the types of resource which are supported, it is blank. That means you will have to make use of asterisk, which is the wild card over here. If you do not make use of a wild card, your policy will not really work. Now, one important part to remember over here is that whenever you deal with some kind of a policy which does not really work, you can always look if there is a corresponding managed policy which is available. So let’s do a cancel over here and let’s look into the policies and let’s see if AWS has provided any managed policy. And you see you have one policy which provides full access to cloud front. This is very similar to the policy that we were discussing in terms of intent.

Now, if you look into this policy, it has various other things like s three and all, but this is not of our interest right now. However, if you look into the below section over here, you have a cloud front star, and also within the resource you have specified a star over here. All right? So for such cases, you should always verify within the documentation. I’ll share this link because this will prove to be quite important in the longer term. Again, for exams, you might not see, or I would say you will not see such type of questions. But it is important for you to understand this specific mapping on where a resource ARN is supported and where ARN is not supported. And only a wild card, a wild card like this is supported. So that’s the overview about the third policy. I hope this video has been informative for you and I look forward to seeing you in the next video.

46. Troubleshooting Answers – Solution 04

Hey everyone and welcome back. Now in today’s video we will look into the solution associated with the Policy Four. Now this is a very simple solution, so let’s do one thing. As we know for our methodology, we always verify the overall syntax of this JSON within the JSON validator. So let’s copy this up, let’s validate the JSON and you see it directly takes you to the line which has an error. Now the solution to this is very simple. Now if you look into the previous line of effect, so effect is a key over here. So for effect you have specified allow. So this becomes a value and after this specific value you have added a comma.

Now similarly here for the action which is the key, you have specified s three star. However, you forgot to add a comma over here. Now as soon as you add a comma and if you do a validate JSON, you see your policy works pretty well. So that’s the overview about the solution associated with the Policy Four. Again, my main intention for the Policy Four was to make sure that you make use of a JSON validator to first verify the JSON before putting things within the im. So with this we’ll conclude this video. I hope this video has been informative for you and I look forward to seeing the next video.

47. Troubleshooting Answers – Solution 05

Hey everyone and welcome back. Now in today’s video we will look into the solution associated with a policy file. So let’s do one thing. Let’s copy of the entire policy and within the JSON validator, let’s go ahead and paste it. Now here you see it basically outrightedly gave you an error at this specific line. Now, what is happening here is that there are two JSON policy objects which, which are defined over here. Now, if you will see, your JSON policy starts here and it ends here. All right? So this is the JSON policy and again, you are starting a new one from here. So there are two JSON policy objects which are defined over here. So let’s do one thing. There are multiple things that we need to understand. I’ll copy this policy and within the IAM, let’s go ahead and paste it over here.

Now, the first thing, as we already know that you have two JSON policy objects that you have defined over here. So for IAM, this multiple objects definition is not really supported. So let’s do one thing. Let’s go ahead and remove the second object over here. All right? Now this is the first part. Now, the second part here is that IAM also does not support multiple statements. So what you can do is within the statement here, you see you have a statement and you have the effect, action and resource which are defined over here. So you can add multiple such aspects. So you can put a comma and you can start your curly brace and you can copy the effect, action and resource very similar to the first statement. Let’s indent it properly.

All right. And let’s remove the older statement that we have defined over here. Now, what we have done, we have a single statement. Now within this statement you have an effect, action and resource. So this is the first block and in the second block also you have the effect, action and resource which is defined over here. All right? And then you have the outer block which is associated with the start of the JSON object. So let’s go ahead. Now, let’s quickly do a review policy and you see it basically gave an error outrightedly. Now, the reason why it has given an error is because within the statement we have multiple blocks which are defined. And we have already discussed that when you have multiple things, you should make use of a placeholder.

So the placeholder is basically an array. So you can start an array and after the second policy block, so array starts, you have the first policy block, you have the second policy block and the array ends and your JSON object ends. Now let’s do one thing, let’s do a review policy and you see it works perfectly well. Now. So two important learnings. First, always have one outer object within your JSON. Second is that you cannot have multiple statement within a single policy and the third is always make use of an array whenever there are multiple things which are specified within your Im policy. So that’s the highlevel overview about the solution associated with the policy file. So with this, we’ll conclude this video. I hope this video has been informative for you and I look forward to seeing you in the next video.