I've got a theoretic question regarding AWS IAM policies.
What happens when two polices contradict each other?
One ALLOW using a resource, and another DENY the resource?
Thanks,
Omer
Based on the policy evaluation logic by AWS, this is called an explicit deny. If the enforcement code finds even one explicit deny that applies, the code returns a final decision of Deny.
Related
I would like to create a Service Control Policies (SCP) policy at the Organization Level that can block 3 things:
Don't allow creating a database Publicly Accessible
Don't allow creating a database without the option of encryption marked
Don't allow creating a database without the option of backup marked
Anyone know if is it possible?
I don't think that Service Control Policies can act at this level.
They basically say which API calls are permitted (eg CreateDbInstance, RebootDbInstance) and don't get down to the level of parameters.
In fact, I don't think it would be possible to create normal IAM policies that have that level of detail, let alone SCPs.
Such rules would likely need to be monitored by Evaluating Resources with AWS Config Rules - AWS Config rather than controlling permissions.
I have an IAM role with AdministratorAccess, but when I upload a custom template to AWS CloudFormation, I get the following error:
Operation failed, ComputeEnvironment went INVALID with error:
CLIENT_ERROR - You are not authorized to call EC2 Describe operations.
It is required to perform CreateLaunchConfiguration operation.
All the other resources seem to complete successfully, so I'm not sure if there is some sort of role delegation taking place?
It is possible that you are affected by Service Control Policies (SCPs) or by Permission Boundaries or even other policy types.
Identity-based policies
Resource-based policies
Permissions boundaries
Organization SCPs
Access control lists
Session policies
Regarding SCPs:
An SCP restricts permissions for IAM users and roles in member
accounts, including the member account's root user. Any account has
only those permissions permitted by every parent above it. If a
permission is blocked at any level above the account, either
implicitly (by not being included in an Allow policy statement) or
explicitly (by being included in a Deny policy statement), a user or
role in the affected account can't use that permission, even if the
account administrator attaches the AdministratorAccess IAM policy with
/ permissions to the user.
Also see How to use service control policies to set permission guardrails across accounts in your AWS Organization
As this article states,
The member accounts of an AWS Organization are unable to see the SCPs
that have been applied to them. Further, when actions are denied,
there is no way to know whether that is due to an IAM policy, an SCP,
or something else (ex. session policy, IAM boundary, resource policy).
This means there will be no indication in the error message from an
API call or in the CloudTrail log to show what denied the call. This
can make debugging issues difficult.
This article has some useful diagrams that show the different things that could be affecting/limiting the access.
I've been working on this problem for four days and finally came up with a solution that I think resolves it.
There are two kinds of CDK bootstrap: legacy and modern. Legacy is the default.
There appears to be a bug in the legacy bootstrap that affects some accounts and not others. I was able to verify that the same code worked for me on one account but produced the exact symptoms of this problem on a newly created account.
If you are not stuck with legacy bootstrap for some reason, just convert over to modern bootstrap. That should make the error (and the reason for the error) go away.
The instructions are here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html
Basically, you have to set an environment variable before you call cdk bootstrap, and then you have to change either some code or some configuration in your project.
It is not intuitive that this feature exists in the CDK at all, nor that it would be the fix for this particular problem. However, it cleared it up for me. Maybe it will do the same for others.
I am reading about GCP's IAM policy over here. Now consider this Resource hierarchy.
Let's say I want to give start instance permission (compute.instances.start) of "instance_a" to abc#gcp.com and start instance permission of "instance_b" to xyz#gcp.com. Clearly I cannot create a IAM policy (based on the IAM policy object example mentioned in the article) at "example-test" folder because it will not give me the granularity I am looking for.
Is it possible to achieve this level of granularity in GCP?
The permissions are inherited from the top layer (Organisation) to the lower layer (the resource, in your example the VM). So, if you grant a permission at the project level (Example-test), the permission are inherited in all the resources belonging to the project (instance_A and instance_B).
Thereby, you can't (easily) achieve what your want.
But in fact, you have the possibility to add conditions on the IAM role. You can add condition on the resource name or the resource tag for example to allow or disallow the access for a user or another one.
But use the condition wisely, it could become a nightmare to debug the IAM permission issues if you mix several level (in the hierarchy) of permission definition and different conditions. Try to keep the things homogenous and as simple as possible.
I'm currently working on IAM and Access and i'm switching from Roles to Permission Set (to use AWS SSO). I have many custom managed policies, that I can't use with Permission Sets now, so I'm using AWS managed policies such as: PowerUserAccess, ViewOnlyAccess etc.
Some of them are pretty close to what i need but have a bit too many actions. Let's take the PowerUserAccess example.
PowerUserAccess gives all GuardDuty action. I want to block all write actions.
The perfect AWS managed policy for that is: GuardDutyReadOnlyAccess.
Is there an easy way to do that "substraction"?
PowerUserAccess - "Not"GuardDutyReadOnly?
such as:
ManagedPolicies:
- arn:....:PowerUserAccess
- arn:....:PowerUserAccess - 'not' arn:....:GuarddutyReadOnlyAccess
Or do i have to do an inline policy and reverting the GuarddutyPolicy? I would like to avoid Inline policies if possible.
Thanks!
It doesn't have to be inline, but you will have to created another policy. In your case you probably want to create a customer managed policy that denies the guard duty access, and attach that to the users (or even better, to the groups).
Be aware, there is a subtle side effect of doing a deny. If a deny exist it always wins, so if you decide you want to single out a user and grant him/her access to guard duty you'd have to be sure that the deny policy is NOT attached to that user. You can't just give them another policy that includes access.
I am using wso2 identity server 4.5.0 and i' m wondering whether there is the option to give priority to the enforcement of a policy instead of another. For instance, the action A to resource X must be prior to the action B to resource X.
Thanks in advance!
Maria
I guess, you are asking about policy ordering... There can be multiple policies in the PDP policy store. For each XACML request, PDP would pick the applicable policy (or policies) based on policy’s Target element. When more than one policy is applicable for the request. Then PDP needs to combine the results of all applicable policies based on the policy combining algorithm. Applicable polices are evaluated based on the order that they have defined. Order of polices can be configured using Identity Server management console.. I guess you can find on this using this blog post...