IAM Policies

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> Hey everybody. In this lesson,
00:00
we're going to be talking about identity
00:00
and access management policies.
00:00
The learning objectives are going to be to
00:00
introduce what policies are and
00:00
discuss how they work and
00:00
also a little bit about how they're structured.
00:00
IAM policies.
00:00
IAM policies are basically the rules that are going
00:00
to be pre-configured for
00:00
the users or the groups that they apply to.
00:00
They basically determine what the user
00:00
is and is not or are not allowed to do.
00:00
I know this ties in to
00:00
the conversation we're having about permissions.
00:00
Permissions are what fall within the policy.
00:00
The policy is the thing that we
00:00
apply and the permissions are the rules. What's allowed?
00:00
Or what are you permitted to do basically?
00:00
Where do your policies apply?
00:00
Well, they can apply to groups of users,
00:00
they can apply to individuals.
00:00
It makes it easy if you apply it
00:00
to groups because like I said before,
00:00
you can manage lots of people.
00:00
You can scale easily because
00:00
you already have it applied to a group.
00:00
All you got to do is next time you create
00:00
a user is just assign
00:00
the user to that group
00:00
who already has the policy applied to.
00:00
They're very easy way to
00:00
scale your organization as you are
00:00
using IAM to manage all the users. Very cool stuff.
00:00
Policies can also be
00:00
applied inline to individual users as well.
00:00
Users can be assigned policies from
00:00
more than one group. What do I mean by that?
00:00
Let's say user could technically be assigned to
00:00
more than one group maybe because they hold
00:00
different responsibilities so they
00:00
could tie to multiple groups.
00:00
Well, if they are tied to different groups,
00:00
so if they are assigned to different groups,
00:00
that means that their user profile can also be
00:00
assigned different policies or different permissions.
00:00
That's say one person or another person
00:00
may not have access to because there
00:00
are only assigned to one group
00:00
and so they only have the groups
00:00
from group a not group a, and group b.
00:00
Just something to keep in mind.
00:00
There's quite a bit of flexibility on how you do that,
00:00
which is very nice.
00:00
This is actually the policy structure.
00:00
This looks very similar to what we were looking at
00:00
before but I have
00:00
a couple of things added here that I wanted to touch on.
00:00
Statements structure.
00:00
Remember, we're talking about the permission statements.
00:00
It's basically like this, is like the action,
00:00
and the resource and
00:00
they actually tell you right here, here's your statement.
00:00
They tell you, what's your SID,
00:00
what's your effect, what's your principle?
00:00
Here we go into detail.
00:00
Your SID is your identifier for the statement.
00:00
The effect is the allow or deny.
00:00
The principle is, who does the policy impact?
00:00
In this case, I want to quickly highlight.
00:00
We have the ARN,
00:00
AWS IAM, and then we have roots.
00:00
You have, the principle
00:00
is determined by that little clause right there.
00:00
Then you have your action, which it says here,
00:00
get and put so you can
00:00
retrieve and read and you can also put,
00:00
you can also add to the S3 bucket.
00:00
Then you have the resources in which you can do that.
00:00
You have my buckets,
00:00
which is the bucket title,
00:00
and then everything within that bucket
00:00
so all the objects within that bucket.
00:00
That asterisk, it's very important to remember.
00:00
That asterisk means all.
00:00
If you ever see that, it means that it's applying to
00:00
all the things that would fall under this path.
00:00
Or you can add to all the things.
00:00
You may not see this whole thing,
00:00
it could just be like S3 asterisk.
00:00
That means everything within
00:00
S3 that you can access. Just keep that in mind.
00:00
These are things that you have to
00:00
know before you go into the exam because you're
00:00
going to see questions
00:00
that are going to require that you know it,
00:00
and they're not going to have
00:00
a legend that details the South,
00:00
so it's not difficult to remember.
00:00
But reading the documentation is going to
00:00
help you understand and commit this to memory.
00:00
Another thing that helped me was creating flashcards.
00:00
If you have a flashcard that's
00:00
like what is an asterisk mean?
00:00
What is the proper structure
00:00
of a principle here like this layout,
00:00
so understanding that, again,
00:00
read the documentation, look this up,
00:00
look up the IAM policy structure for
00:00
AWS and it's not a lot of information,
00:00
but taking the time is going to definitely score you a
00:00
few extra points on your exam when you test.
00:00
That wraps up this lesson.
00:00
In this lesson, we talked about what an IAM policy is,
00:00
and we briefly discussed the IAM policy structure.
00:00
Remember to review the documentation it's
00:00
going to be helpful when you're taking your test.
Up Next