One of the key areas to understand for the AWS Certified Developer – Associate (DVA-C02) exam revolves around the security management of various AWS services. This involves a deep dive into AWS’s Identity and Access Management (IAM) and understanding the three types of access policies: Resource-based policies, Service policies, and Principal policies.
1. Resource-Based Policies
Resource-based policies are attached directly to the resource. These policies grant permissions to the principal entity to perform actions on that specific resource. They also contain information about which principal can access the resource, what actions they can perform, and under what conditions. Examples of AWS services that support resource-based policies include Amazon S3 buckets, Amazon SNS topics, and AWS KMS keys.
Example of a Resource-based policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
}
]
}
The policy above allows the root user of another AWS account (AccountB) to download objects from an S3 bucket.
2. Service Policies
Service policies, also known as managed policies, are standalone policies that you can attach to multiple entities (users, groups, and roles) in your AWS account. These policies allow you to have a single policy that can grant the necessary permissions to perform specific tasks.
An AWS managed policy is a service policy that is created and managed by AWS, and corresponds to different AWS service functionalities. An example of AWS-managed policies include AmazonDynamoDBFullAccess and AmazonS3ReadOnlyAccess.
Example of a Service Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
This Service Policy grants the principal permissions to perform all the ‘Get’ and ‘List’ actions for any S3 buckets within the account.
3. Principal Policies
Principal policies or user policies are those that are attached to an IAM user, group, or role. These policies control what actions entities can do, which resources they can access, and under what conditions. If a principal tries to access a resource, the policy attached to the user or role will determine whether the access is allowed or denied.
Policy Types Breakdown
Here’s a breakdown of the difference between these three types of policies:
Resource-based Policies | Service Policies | Principal Policies | |
---|---|---|---|
Where it’s attached | To the resource (e.g., S3 bucket, SNS topic) | Standalone, can be attached to multiple entities | To an IAM user, group, or role |
Controls | Permissions to access the specific resource it’s attached to | Permissions to perform specific tasks, usually attached to IAM entities | The actions and resources an IAM entity can access |
Example | Allows the root user of another AWS account to download objects from an S3 bucket | Grants the principal permissions to perform all the ‘Get’ and ‘List’ actions for any S3 buckets within the account | Control whether a particular IAM user can create a new S3 bucket |
Summary
In summary, a deep understanding of resource-based, service, and principal policies is essential for the AWS Certified Developer – Associate exam. Each policy type has a specific role to play in AWS’ flexible and granular access management framework.
Practice Test
True or False? Resource-based policies in AWS are account-level policies that are attached to resources.
Answer: False.
Explanation: Resource-based policies are not account-level policies. They are policy statements that you attach to a resource such as a bucket in Amazon S
In IAM, which type of policy is used to specify what actions are allowed or denied by an entity?
- a) Service policy
- b) Principal policy
- c) None of the above
Answer: b) Principal policy
Explanation: In IAM, Principal policies are those that specify what actions are allowed or denied by an entity.
True or False? Resource-based policies can either allow or deny access to your AWS resources.
Answer: True.
Explanation: Resource-based policies can both allow and deny permissions. They determine who can access the resource and what actions they can perform on it.
Can a user policy be attached to multiple AWS accounts?
- a) Yes
- b) No
Answer: b) No
Explanation: A user policy is attached to a user in a specific account and does not span multiple accounts.
What type of policy would you use to specify permissions that can be applied across all users and roles within an account?
- a) SCP
- b) User policy
- c) Group policy
- d) None of the above
Answer: a) SCP
Explanation: AWS Organizations uses service control policies (SCPs) to centrally control access permissions in your organization.
An Amazon EC2 instance assuming a role to obtain temporary security credentials is an example of:
- a) Service policy
- b) Resource-based policy
- c) Principal policy
- d) None of the above
Answer: c) Principal policy
Explanation: This is an example of principal policy, where a principal (an EC2 instance in this case) is allowed to assume a role to obtain temporary security credentials.
True or False? Service policies are global and apply across all regions.
Answer: True.
Explanation: Service policies by their nature are global and are applied across all regions.
Service control policies (SCPs) are a type of ——-
- a) Resource-based policies
- b) Principal policies
- c) Service policies
- d) None of the above
Answer: c) Service policies
Explanation: SCPs are a type of service policy that you can use to manage permissions in your organization.
True or False? By default, an IAM user has no permissions unless you explicitly grant them.
Answer: True.
Explanation: In IAM, by default, users don’t have permissions to do anything until you grant them.
Which policy type can be used to delegate permissions to AWS services to carry out actions on your behalf?
- a) Resource-based policies
- b) Service policies
- c) Principal policies
- d) None of the above
Answer: b) Service policies
Explanation: Service policies delegate permissions to AWS services to carry out actions on your behalf.
Interview Questions
What is a Resource-based policy in AWS?
A Resource-based policy is a policy attached to a resource in AWS. For example, S3 bucket policy, KMS key policy, etc. They include information about who can access that resource and what actions they can perform.
How are principal policies different from resource-based policies?
Principal policies are attached to users or groups and define what actions these users or groups can carry out. On the other hand, Resource-based policies are policies applied to resources and define who or what can access that resource and what actions they can perform.
What are services control policies (SCPs) in AWS?
Service Control Policies (SCPs) are a type of policy that can be used to manage permissions in AWS Organizations. SCPs offer central control over the maximum permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines.
What is the purpose of AWS Identity and Access Management (IAM) in the context of resource-based policies, service policies, and principal policies?
IAM is a web service that helps you securely control access to AWS resources for your users. You can use IAM to control who is authenticated and authorized to use resources.
Can a resource-based policy and identity-based policy be attached to an AWS resource or service at the same time?
Yes, a resource-based policy and identity-based policy can be attached to an AWS resource. Both policies would collectively define the access to the resource.
What is the result of the combination of permissions rules (principal policy, resource-based policy, etc) when a principal makes a request in AWS?
At the end of the policy evaluation process for a request, if there is a single explicit deny, then the request is denied. If it’s not explicitly denied, the service checks for explicit allows. If there’s at least one explicit allow, then the request is allowed.
Can a service control policy (SCP) deny permissions to an AWS root user?
Yes, an SCP can deny permissions to an AWS root user. If an SCP denies a root user to carry out a particular action, the root user is not able to perform that action.
What is the purpose of an AWS managed policy?
AWS managed policies are designed to provide permissions necessary to carry out specific tasks. AWS maintains and updates these policies when their services’ permissions change.
How can you restrict a specific IAM user from performing certain actions in AWS?
You can restrict certain actions by attaching a policy to the user or group defining a “Deny” rule for those actions.
Can you attach a service policy directly to a resource in AWS?
No, service policies like SCPs are attached to an AWS organization, not to a particular resource. They control the actions that services can perform for all the accounts in the organization.
What is the function of the “Effect” element in an AWS policy?
The “Effect” element in a policy specifies whether the policy allows or denies access.
In which format are AWS policies written?
AWS policies are written in JavaScript Object Notation (JSON).
Is it possible to use both AWS managed policies and inline policies alongside?
Yes, you can use both AWS managed policies and inline policies at the same time for a user, group, or role.
What type of AWS policy primarily controls Cross-Account access?
Resource-based policies are used to control cross-account access. These policies are attached to resources and specify which principals in other accounts are allowed to access the resources.
What role does the principal element play in AWS policies?
The principal in an AWS policies is the entity (user or service) that is allowed or denied access to a resource. In a role trust policy, the principal element defines who can assume the role.