Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 2

4. IAM Policy Evaluation Logic

Hey everyone and welcome back to the Knowledge Portal video series. Today we will be speaking about the policy evaluation logic as far as the AWS IAM is concerned. So this is quite important topic specifically when you are debugging the IAM policies related issue. So let’s go ahead and understand on how exactly the policies are evaluated in in IAM. Now this is a quite nice diagram, all credit goes to the AWS documentation. So let’s go ahead and understand the decision making process. Now the first step is that any decision like to access a S three bucket or maybe to start easy to instance any decision within AWS the assumption is that the request will be denied. So it works based on the deny by default based approach. So the first step is decision starts at deny.

The second step is after the decision starts with denied then all the policies attached to that user or an im role are evaluated. So this is the second step. So before we go into the third, fourth and fifth let’s go ahead and understand the first two steps because this is quite important thing to understand. So let me go to the Alice user over here. Okay so there are three policies which are attached over here and there is no policy related to S three. So if I just go to S three console from the Alice user you see that access is denied. So what really happens is by default all the access are denied. That is the first step. The second step that happens is whenever I open the S three what really happens is the policies which are attached to the user are checked. Now since there is no policy which directly relates to allow of S three the permission is getting denied.

So what we can do is I’ll give an S three read only. Let me just type S three. Okay so now we have given the S three read only permission. So now what is happening is the first step remember first step is default deny second step the policies attached to the entity in our case user is checked. Now we have one policy. So if you look into this JSON format the policy states get star list start for the S three service and the resources asterisk perfect. So that means that if you look into the effect the effect is allow. So that means it will allow. So this is explicit allow which is mentioned. So now if I just refresh the console page now you see I am able to access the S three console. So this is how the policy evaluation logic works.

So the first step is denied by default. Second step look into all the attached policies and check if there is any allow condition which is mentioned for that particular resource. Now the third step is code will look if there is any explicit deny in the policy. So this is the third step if explicit deny is present, then the entire request is denied. That is the third step. And if no explicit denies mentioned and allow is present, then the decision is allowed. So again, we will understand this part because I’m sure you are not much clear on this aspect. And we’ll understand this with a use case. Now, we have an example scenario where there are four AWS s three buckets which are available. So here we have five. So it should be five idly. Now we want to give access to all the buckets in our s three except one.

Perfect. So quite easy scenario. So the in order to do this, there are only two steps which are required. First is allow access to all the s three buckets. So what this step will do is it will allow user access to all the s three buckets, all the five ones over here. And the second step step says deny access to bucket five. So this is the bucket five. So what we are doing is allowing access to all the s three buckets and then we are explicitly denying access to a specific bucket. Now, this is quite important, you may ask because if the in future let’s assume next week there are ten more buckets added. So it is necessary to in order to solve this scenario, the user should have access to all the new ten s three buckets as well.

So this is why we have to allow access to all the s three buckets by default. So let’s look into how this would be designed. So let’s do one thing, I’ll delete the policy. Perfect. So just to demonstrate it for our demo purpose, I’ll add one policy which says s three full access. Perfect. Now, AWS s three full access. That means the user will be able to do everything in AWS s three. This makes sense. So we have essentially done the first step which says allow access to all the buckets in s three. Now, since the conditions second says we want to give access to all the buckets in s three except one, which would be the fifth one. So if you quickly go to the s three console, what we will be doing is we will prevent this bucket which states KP Labs Hyphen Prod Hyphen logs from being accessible.

So we will be preventing the user Alice to access this bucket. And other than this, the user Alice should be able to access any bucket. Perfect. So now we will create one more policy. I’ll use the policy generator. I hope you are now aware about how policy and policy generator works. Select AWS s three. Now the effect will be denied the actions. I’ll select all the actions and now comes the time for ARN. So again, we have already discussed on how ARN is formulated. So I’ll copy the ARN of s three. Let me paste it over here and I’ll rename this to the name of buckets which is KP Labs logs. Let me quickly verify if it is the right one. Perfect, it is the right one and I’ll click on add statement, I’ll do a next and I’ll say deny s three bucket.

So if you will see over here the effect is deny in action s three star and in the resource we have given the name of bucket. I’ll click validate the policy and I’ll click on Apply. So what is happening over here is I have one policy which says give user full access to S three and I have second policy which states do not allow access to a bucket. Now, which one of them would work? So let’s find it out. So I’ll refresh the S three console and if I try to open this bucket, you see it is giving me access denied. Now, if I try to open the dev bucket, I will be able to see the files over here. Now let’s do one thing, let me edit the policy that we had created. Let me edit the policy and now in the resource I’ll put asterisk I’ll validate and I’ll click on Save.

So what we have created is the first policy we have created is allow full access to S three and the second policy which we have created states that do not allow any access to S three. Now the question is which among them would work? So let’s find that out. Let me just refresh the page and now you see the access is getting denied. This means that deny policy will take the precedence over the allow policy. So always remember, if you have deny and if you have allowed for the same resource, the deny one will take the precedence. This is very important to understand and this is what exactly the documentation states that first thing it will check if there is a deny, if it is a denial, then it will deny it by default.

If there is no deny and if there is allowed, then the final decision is allowed. And this is what these points really means. So I hope you got the basic understanding related to the decision making process. Again, you have to understand the difference between explicit deny versus deny by default. Now, a request will be denied by default if there is no allow policy present for the resource. So if there is no policy attached to a user and if user is trying to open a S three console, that would be deny by default. And explicit deny means the denial condition that we have explicitly mentioned over here you see in the effect we have mentioned deny. So this is called as the explicit deny and the default denies. If there are no policies attached to the user and user is trying to do something, then the first evaluation logic works which is decision starts with deny. And this is how the decision making process works.

5. Understanding IAM Policies

Hey everyone and welcome back to the Knowledge Portal video series. Now, in the previous lectures we are building our base related to the identity and access management we already discussed about the principle of least privilege and AWS I am. Now today we will go ahead in much more depth and today we will study about the IAM policies. So let’s go ahead and understand what they are. Now in a very simple term, IAM policies allows us to define at granular level access on what permission needs to be given to a particular AWS resource. So when I talk about AWS resource it means AWS users. It can also mean IAM roles and it can also mean AWS services like S Three or even SQS and many others.

Now, it will become much more clear when we actually start to write our own policies. But as an initial start, just remember that there are four important elements within an IAM policy that you will generally find. The first element is a statement element, the second is effect, third is action and fourth is resource. Now generally effect, action and resource are generally part of the statement elements. So statement element will be the global one and the ones which are mentioned below will be under the statements. So if you just want to see on how exactly it might look, this is a very simple im policy where you’ll see the statement element is the global one and the effect, action and resource are mentioned inside the statement element.

Now again, it is quite simple to read. So you’ll see this policy is doing something like allowing what it is allowing describe on which service you may ask. It is easy to on which resource aspect. So as a gender you can interpret it that this policy is allowing describe on EC two instances in which region on all the regions. So, a very simple policy. So let’s do one thing. Let’s go ahead and understand each of these elements in great detail. Now, we discussed that a statement element is one of the main element within the im policy. So this is something that you must be defining when you write an im policy.

Now, the statement element can contain multiple individual statements in order of this curly braces view C. And each of the individual statement is enclosed in the blocks of this curly braces. So in order to understand this, this is quite simple. So what it really says that statement element must be defined in I am policy and the statement element contain multiple individual statements and each of the statements enclose in block of this curly braces. So let’s do one thing. Let me copy this specific code and let’s open up our editor so that it will become much more clear on what I mean by this.

So I’ve copied the code from the presentation. So the first thing of the im policy that needs to be done is it starts with the curly braces and it ends with the curly braces. So this is based on JSON. So you have to follow the JSON based syntax which starts with the curly braces and it ends with the curly braces. So this indicates part of the IAM policy. This indicates end of the IAM policy and within this there is the Snippet code that we see over here. This is the snippet code. Now we already discussed that the Statement element is must within the IAM policy. So this is the Statement element and within Statement element there can be individual statements which would be present.

So this is one individual statement which is present under the Statement element. So you can even write it in this manner. So this will become much more clear. So within the Statement element this is the individual statements. Perfect. So now if I just enclose this or if I just close this, you will find that it starts with curly braces, it ends with curly braces. There is a statement which is mentioned and under Statement there are multiple individual statements which are present. So I hope this basic has become much more clearer. So let’s go ahead and understand this specific component in much more detail. So I have one example policy which contains multiple statements.

So again, what has happened over here? The statement here is global and within the statement there are multiple statements. Notice that each of these statements starts with the curly braces. This is something which we have already seen that each of the individual statement is enclosed with this curly braces. Perfect. So let’s again copy this specific Snippet and I’ll put it in the editor. And now let me just close this out. Now what has really happened is you have a Statement element which is global and this is one statement and this is second statement. Now very important to remember whenever you have multiple statements under Statement element you have to put it under the array. So this is the array and array basically allows us to put multiple.

So it might look something like this. So this becomes an array. So you have say S three delete then you might have something like S three create bucket. So this is an array. So if you are mentioning multiple things, so if you are mentioning multiple statements, something similar to this, I’ll also enclose it like this. So if you have multiple statements then it has to be within the array blocks. Okay? So one important thing that you should be remembering so since we are going to have multiple statements, I have created an array and after the array is created we write our first statement which is this. And after we have written the first statement, notice there is a comma. Comma basically indicates that there is one more resource that is coming in.

So since I am going to have a second statement, I have put a comma over here and after that I have mentioned the second statement. Now, since there is nothing coming up after the second statement here you will not put comma, okay? If you put comma your JSON validation will fail. Perfect. So this is the basic about statement and now we can move ahead with the second component of the Im policy which is effect. So the effect element basically specifies whether the statement should be allowed or it should be denied. Now, if you see here under the effect there can be two possible values. One is allowed or one is denied. So when we put allow, the next question comes is what needs to be allowed? Whether a user should be able to delete an EC two instance or he should be able to create a EC two instance or he should be able to create s three buckets, etc.

So what exactly that needs to be allowed is part of the action element. So when we talk about action element which is the second component, it basically defines the list of actions that needs to be allowed or denied. So each AWS service has its own set of actions. These are set of example actions like easy to create keypad, easy to create VPC. Then you have SQS list queues SQS send message, s three create bucket, s three delete bucket. So one thing that you can identify is the first key. So this is the key and this is a value. So the first field over here is the AWS resource and the second value over here is the element within this AWS resource. So easy to create key pair, easy to create VPC similar to this.

Now the third element is the resource element which basically defines what exactly the statement covers. So here in this policy if you see the resource is asphalt so I guess someone has started to cook. It is already 645 in the morning so I think they wake up quite early anyway. So resource element basically defines the object that statement covers. So you can put Asterisk which covers everything under the AWS account or you can cover individual resource. So individual resource can be defined as an Amazon resource name and it uniquely identifies the AWS resource. So the format of ARN might look something like this. It starts with ARN AWS. Then comes the AWS service which is easy to over here. Then comes the region.

So the region is US West two, then is the account ID. This is the account ID then is instance and then is the instance ID. So when I write my policy then I need to Idly refer with the help of the ARN. But if you are quite lazy you can even put Asterisk as the basic policy statement anyway. So let’s do one thing, let’s go ahead and implement this in our practical scenario. So it becomes much more clearer. Enough with the theory now. So I have the user Alice and we had created easy to read only access over here. Let me just open this up and let’s see on what exactly it is. And you’ll see over here, it starts with the statement we will be covering what versioning means in later chapter. So it start with statement and there are multiple statements over here.

So this is the first statement, this is the second statement and indicate the comma which is present, which indicates multiple statements. Anyway, perfect. So let’s do one thing let’s go ahead and implement our first im policies. I’ll delete this one or detach this one and then click on inline policy. I’ll select custom policy over here and let me paste the policy that we had written and I’ll say easy to read only and there is a nice tool called Validate policy. So this will validate the im policies that you have written. So let’s quickly verify. The policy starts with curly braces and with curly braces the statement element is present which is a must and under the statement element there is one statement which is defined which is doing allow on what? Allow on EC to describe and resources aspects.

So what this basically means that the user will be able to do describe on EC two instance which are present in all the regions I’ll click on validate policies and I’ll click on apply policy perfect, so it is applied to Alice. Now let’s do one thing let me go to the EC two dashboard it is saying that you are not authorized, let’s refresh. So now if I go to instances I am able to see the instances which are present. Now the EC two dashboard contains lot of other things like load balancer we’ll see over here let’s wait there’s something slow perfect. So easy to by itself contains a lot of other services like load balancer, auto scaling groups and other things. However, if you look into the policy we have just allowed one specific thing which is EC two.

So we have not allowed load balancers and other aspects. So you will find lot of permission denied over here but when you just cover the basic EC two instances you will be able to see the EC two instances with the policy that we have created.