chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In AWS, you manage access by developing policies and linking them to AWS Identity and Access Management (IAM) principals (roles, users, or groups) or AWS resources. When an IAM principal makes a request—such as uploading an object to an Amazon Simple Storage Service (Amazon S3) bucket—AWS evaluates these policies to determine if the action is permitted or denied.

In this blog post, we will guide you through a scenario and clarify which policy type to utilize, as well as who should oversee and manage the policy. You will discover when to employ the most common policy types: identity-based policies, resource-based policies, permissions boundaries, and AWS Organizations service control policies (SCPs).

Different Policy Types and Their Usage

AWS offers various policy types that grant you significant flexibility, and it’s crucial to understand how and when to apply each type. Additionally, it’s important to structure your IAM policy ownership effectively to prevent a centralized team from becoming a bottleneck. Clearly defined policy ownership allows your teams to operate more efficiently while adhering to the secure guidelines established centrally.

Overview of Service Control Policies

Service control policies (SCPs) are a feature of AWS Organizations, a service used for grouping and managing the AWS accounts owned by your business. SCPs define the maximum permissions for an organization, organizational unit (OU), or an individual account. They can restrict permissions for principals within member accounts, including the AWS account root user.

SCPs serve as broad guardrails and do not directly grant access. Their primary purpose is to enforce security invariants across AWS accounts and OUs in an organization. Security invariants are control objectives or configurations applicable to multiple accounts, OUs, or the entire AWS organization. For instance, you can use an SCP to prevent member accounts from exiting your organization or to ensure that AWS resources can only be deployed in certain regions.

Overview of Permissions Boundaries

Permissions boundaries are an advanced IAM feature that allows you to set the maximum permissions that an identity-based policy can grant to an IAM principal. When you establish a permissions boundary for a principal, the principal can only perform actions permitted by both its identity-based policies and its permissions boundaries.

A permissions boundary is a type of identity-based policy that doesn’t grant access directly. Similar to an SCP, it operates as a guardrail for your IAM principals, permitting you to set broad access controls. Permissions boundaries are typically utilized to delegate the creation of IAM principals, enabling individuals in your accounts to generate new IAM principals while limiting the permissions that can be assigned to them.

Overview of Identity-Based Policies

Identity-based policies are policy documents attached to a principal (roles, users, and groups) that regulate what actions a principal can execute, on which resources, and under what circumstances. These policies can be further classified into AWS managed policies, customer managed policies, and inline policies. AWS managed policies are reusable identity-based policies created and managed by AWS. You can use them as a foundation for developing your own identity-based policies tailored to your organization. Customer managed policies are also reusable and can be linked to multiple identities, making them valuable when multiple principals require identical access.

Inline policies are identity-based policies linked to a single principal. Utilize inline policies when you wish to create least-privilege permissions that are specific to a certain principal. You will find numerous identity-based policies in your AWS account used for scenarios such as human access, application access, machine learning workloads, and deployment pipelines. These policies should be fine-grained, directly applying least privilege permissions to your IAM principals. Policies should be crafted with permissions that align with the specific tasks the principal needs to accomplish.

Overview of Resource-Based Policies

Resource-based policies are policy documents attached to a resource like an S3 bucket. They grant the specified principal permission to perform certain actions on that resource and define the conditions under which this permission is valid. Resource-based policies are inline policies. For a list of AWS services that support these policies, visit the AWS services that work with IAM.

Resource-based policies are optional for many workloads that don’t cross multiple AWS accounts. Typically, fine-grained access within a single account is provided through identity-based policies. However, AWS Key Management Service (AWS KMS) keys and IAM role trust policies require resource-based policies even when the principal and the KMS key or IAM role reside in the same account. This additional layer of security mandates the resource owner (key or role) to explicitly allow or deny principals from utilizing the resource. Common use cases for resource-based policies include:

  • Granting cross-account access to your AWS resource.
  • Allowing an AWS service to access your resource via an AWS service principal. For instance, AWS CloudTrail necessitates explicit permission to write files to an Amazon S3 bucket.
  • Establishing broad access guardrails for your AWS resources. You can refer to this blog post for examples.
  • Adding extra protection for resources containing sensitive data, such as AWS Secrets Manager secrets or S3 buckets with sensitive content. A resource-based policy can deny access to IAM principals that shouldn’t have access, even if an identity-based policy grants them permission. Remember, an explicit deny in an IAM policy always supersedes an allow.

Implementing Different Policy Types

In this section, we will illustrate a design example that incorporates all four policy types discussed in this post.

The scenario depicted involves an application running on an Amazon Elastic Compute Cloud (Amazon EC2) instance that must read from and write files to an S3 bucket within the same account. Additionally, the application reads (but does not write) files from an S3 bucket in a separate account. In this example, the company, Example Corp, employs a multi-account strategy, with each application assigned its own AWS account. The architecture of the application is illustrated in Figure 1.

Sample application architecture that needs to access S3 buckets in two different AWS accounts.

In this example, three teams are involved: the Central Cloud Team, the Application Team, and the Data Lake Team. The Central Cloud Team oversees the security and governance of the AWS environment across all AWS accounts at Example Corp. The Application Team is responsible for developing, deploying, and managing their application within the application account (111111111111) that they control. Similarly, the Data Lake Team manages the data lake account.

To learn more about human resource roles, check out this resource from SHRM, they are an authority on this topic. This is an excellent resource if you’re interested in furthering your understanding of managing learning and development within Amazon, visit here.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *