Domain 4 of 6 · Chapter 2 of 2

Authorization

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • The policy evaluation chain
  • Policy types and how they combine
  • ABAC versus RBAC strategies
  • Cross-account, on-premises, and application authZ
  • Analyzing and correcting authorization

How each policy type affects the authorization decision

Policy typeWho it applies toCombine ruleCan it grant?
Identity-based policyThe principal it is attached toUnion with resource-basedYes
Resource-based policyThe resource it is attached toUnion with identity-basedYes
Permission boundaryThe IAM user or role it capsIntersection with identity policyNo, caps only
Session policyA single assumed-role or federated sessionIntersection at session scopeNo, caps only
Service control policy (SCP)Principals in member accountsIntersection at Organizations layerNo, caps only
Resource control policy (RCP)Resources in member accountsIntersection at Organizations layerNo, caps only

Decision tree

Authorize access to what?app resource or AWS?Verified PermissionsCedar, IsAuthorizedCaller outside AWS?on-prem / other CAIAM Roles AnywhereX.509 + trust anchorCaller in another account?cross-accountRole trust + identityboth sides must allowScale by tags?resources grow oftenABACPrincipalTag = ResourceTagRBACpolicy per job functionAlways: least privilege;cap delegated admins with a permission boundaryApp resourceAWSYesNoYesNoYesNo

Cheat sheet

  • Every request is implicitly denied until a policy allows it
  • An explicit deny overrides every allow, anywhere in the request
  • Policy types evaluate in a fixed order: deny, RCP, SCP, resource, identity, boundary, session
  • Identity-based and resource-based policies form a union of grants
  • A permission boundary caps permissions, it never grants them
  • A session policy further caps a single assumed-role or federated session
  • SCPs cap principals and RCPs cap resources, but neither grants
  • Cross-account access requires an allow on both the trusted and trusting account
  • A role can only be assumed if its trust policy names the principal
  • ABAC authorizes on tags so permissions scale without new policies
  • RBAC fits stable job functions but needs policy edits as resources grow
  • Session tags carry corporate attributes into ABAC for federated users
  • Verified Permissions authorizes inside your app, IAM authorizes AWS
  • IAM Roles Anywhere gives external workloads temp credentials via X.509
  • Access Analyzer external-access findings reveal resources shared outside the org
  • Access Analyzer unused-access findings drive least-privilege cleanup
  • Custom policy checks block deployments that grant new or critical access
  • The IAM Policy Simulator tests effective access without making the real call
  • IAM paths namespace entities so policies can target groups of roles
  • Apply least privilege by starting minimal and capping with boundaries
  • A resource-based allow can grant access despite an implicit identity deny
  • sts:ExternalId in a role trust policy defeats the confused-deputy problem for third-party access
  • aws:PrincipalOrgID confines access to your organization even if an account ID is wrong
  • SCPs never restrict the management account or service-linked roles
  • Effective SCP permission is the intersection down the OU path, and any deny in the chain wins
  • Carve a break-glass role out of an SCP deny with a PrincipalARN StringNotLike condition
  • Block Public Access takes the most restrictive of org, account, and bucket settings
  • S3 'Bucket owner enforced' disables ACLs so the owner owns every object
  • Passing an IAM role to a service requires iam:PassRole on the caller
  • The iam:PermissionsBoundary condition forces a boundary onto every role developers create

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. IAM policy evaluation logic
  2. How AWS enforcement code logic evaluates requests to allow or deny access
  3. Permissions boundaries for IAM entities
  4. Define permissions based on attributes with ABAC authorization
  5. Cross-account policy evaluation logic
  6. What is AWS IAM Roles Anywhere?
  7. What is Amazon Verified Permissions?
  8. Using AWS IAM Access Analyzer
  9. Testing IAM policies with the IAM policy simulator