1
00:00:00,340 --> 00:00:01,390
‫So going into the exam,

2
00:00:01,390 --> 00:00:03,430
‫we need to have a much better understanding

3
00:00:03,430 --> 00:00:05,240
‫of advanced IAM concepts.

4
00:00:05,240 --> 00:00:06,890
‫So this lecture is going to be dedicated

5
00:00:06,890 --> 00:00:08,530
‫to explaining to you a few things

6
00:00:08,530 --> 00:00:10,180
‫that you think are granted

7
00:00:10,180 --> 00:00:13,410
‫but it's always good to see them outlined in diagrams.

8
00:00:13,410 --> 00:00:15,480
‫So the first one is the authorization model

9
00:00:15,480 --> 00:00:18,560
‫and how policies are evaluated.

10
00:00:18,560 --> 00:00:21,070
‫So since this is a simplified model by the way,

11
00:00:21,070 --> 00:00:22,170
‫it's a lot more complicated,

12
00:00:22,170 --> 00:00:23,520
‫but hopefully that gives you a good idea

13
00:00:23,520 --> 00:00:24,740
‫about how that works.

14
00:00:24,740 --> 00:00:27,200
‫If there's an explicit deny in your policy

15
00:00:27,200 --> 00:00:29,363
‫then you end the decision with a deny.

16
00:00:30,220 --> 00:00:34,330
‫If there's an allow, you end the decision with allow.

17
00:00:34,330 --> 00:00:35,760
‫And else, you deny.

18
00:00:35,760 --> 00:00:37,020
‫So what does it look like?

19
00:00:37,020 --> 00:00:38,661
‫Say for example, that a user wants

20
00:00:38,661 --> 00:00:41,170
‫to create a DynamoDB table,

21
00:00:41,170 --> 00:00:42,490
‫the decision starts with deny.

22
00:00:42,490 --> 00:00:44,380
‫So by default, it can't do it.

23
00:00:44,380 --> 00:00:46,860
‫Then all the policies attached to that user

24
00:00:46,860 --> 00:00:48,140
‫will be evaluated.

25
00:00:48,140 --> 00:00:51,530
‫So for example, if we have a policy attached to our user,

26
00:00:51,530 --> 00:00:55,560
‫this will be what goes into this all applicable policies.

27
00:00:55,560 --> 00:00:57,440
‫Then we'll look at the policy.

28
00:00:57,440 --> 00:00:59,650
‫Is there an explicit deny in the policy?

29
00:00:59,650 --> 00:01:00,790
‫Is there somewhere in the policy

30
00:01:00,790 --> 00:01:03,920
‫that says, "Users cannot create DynamoDB tables"?

31
00:01:03,920 --> 00:01:07,520
‫If so, the final decision is deny, no matter what.

32
00:01:07,520 --> 00:01:10,800
‫Then, only then, the allow will be evaluated.

33
00:01:10,800 --> 00:01:12,320
‫So is there an allow statement,

34
00:01:12,320 --> 00:01:14,990
‫allowing the user to create a DynamoDB table?

35
00:01:14,990 --> 00:01:17,700
‫Yes, then the final decision is allow.

36
00:01:17,700 --> 00:01:20,410
‫No, then the final decision is deny.

37
00:01:20,410 --> 00:01:23,010
‫So if there's both an explicit deny

38
00:01:23,010 --> 00:01:25,430
‫and an explicit allow in the policy,

39
00:01:25,430 --> 00:01:27,170
‫as you can see the deny will win

40
00:01:27,170 --> 00:01:30,420
‫because the explicit deny condition is evaluated first.

41
00:01:30,420 --> 00:01:32,840
‫So remember that diagram, it's really important.

42
00:01:32,840 --> 00:01:34,410
‫Now comes the fun part.

43
00:01:34,410 --> 00:01:38,290
‫How does IAM policies work with S3 bucket policies?

44
00:01:38,290 --> 00:01:39,950
‫So IAM policies, we know they're attached

45
00:01:39,950 --> 00:01:41,670
‫to users, roles and groups,

46
00:01:41,670 --> 00:01:43,490
‫whereas S3 bucket policies,

47
00:01:43,490 --> 00:01:44,400
‫they're attached to buckets

48
00:01:44,400 --> 00:01:49,290
‫and they both define what users can do on the bucket.

49
00:01:49,290 --> 00:01:52,434
‫So when we evaluate in IAM,

50
00:01:52,434 --> 00:01:56,830
‫IAM principle maybe can put an object into an S3 bucket.

51
00:01:56,830 --> 00:01:59,670
‫What will be evaluated is the union

52
00:01:59,670 --> 00:02:03,970
‫of the IAM policy and the S3 bucket policy.

53
00:02:03,970 --> 00:02:06,590
‫So this is something that is not really well known.

54
00:02:06,590 --> 00:02:09,180
‫So if you take an action in S3,

55
00:02:09,180 --> 00:02:12,330
‫you look at the IAM policy plus the S3 bucket policy

56
00:02:12,330 --> 00:02:15,450
‫in union together, so all these rules are added together

57
00:02:15,450 --> 00:02:17,080
‫and that will give you the total policy

58
00:02:17,080 --> 00:02:20,580
‫that will be evaluated from a security standpoint.

59
00:02:20,580 --> 00:02:21,760
‫Something to know about.

60
00:02:21,760 --> 00:02:22,760
‫So that means that, for example,

61
00:02:22,760 --> 00:02:24,350
‫if you have an EC2 instance

62
00:02:24,350 --> 00:02:29,350
‫and you remove the S3 policies in the IAM policy,

63
00:02:30,210 --> 00:02:31,800
‫but there's still an S3 bucket policy

64
00:02:31,800 --> 00:02:34,170
‫authorizing the EC2 instance to do something,

65
00:02:34,170 --> 00:02:36,600
‫then it will still be able to do stuff in S3.

66
00:02:36,600 --> 00:02:38,330
‫So very important to know this.

67
00:02:38,330 --> 00:02:39,650
‫Let's go through four examples

68
00:02:39,650 --> 00:02:41,690
‫just to make sure this is really really clear

69
00:02:41,690 --> 00:02:43,060
‫and pause the video if you need to

70
00:02:43,060 --> 00:02:45,130
‫just to make sure you understand correctly.

71
00:02:45,130 --> 00:02:48,240
‫So say you have an IAM role attached to an EC2 instance

72
00:02:48,240 --> 00:02:51,270
‫and it authorizes reads and writes to my bucket.

73
00:02:51,270 --> 00:02:53,253
‫There's no S3 bucket policy attached.

74
00:02:54,140 --> 00:02:56,590
‫In this case, can the EC2 instance

75
00:02:56,590 --> 00:02:58,790
‫write and read to the bucket?

76
00:02:58,790 --> 00:02:59,940
‫Yes, it can.

77
00:02:59,940 --> 00:03:01,870
‫Because the union of these two things,

78
00:03:01,870 --> 00:03:04,758
‫is that our EC2 instance has the right

79
00:03:04,758 --> 00:03:07,230
‫to read and write to my bucket.

80
00:03:07,230 --> 00:03:09,320
‫Okay, second example.

81
00:03:09,320 --> 00:03:11,880
‫We have an IAM role attached to the EC2 instance

82
00:03:11,880 --> 00:03:14,540
‫and it authorizes the read writes to my bucket

83
00:03:14,540 --> 00:03:16,690
‫but this time, the S3 bucket policy

84
00:03:16,690 --> 00:03:18,380
‫is attached to the S3 bucket

85
00:03:18,380 --> 00:03:21,220
‫and there's an explicit deny to the IAM role

86
00:03:21,220 --> 00:03:23,490
‫used by that EC2 instance.

87
00:03:23,490 --> 00:03:26,850
‫In this case, is the EC2 instance allowed or denied

88
00:03:26,850 --> 00:03:28,810
‫to write to the bucket?

89
00:03:28,810 --> 00:03:30,190
‫Well it cannot read from the bucket

90
00:03:30,190 --> 00:03:33,540
‫because there is now an explicit deny in the union policy

91
00:03:33,540 --> 00:03:35,463
‫and we've seen that explicit denies

92
00:03:35,463 --> 00:03:38,310
‫have higher priority than explicit allow.

93
00:03:38,310 --> 00:03:39,840
‫So in this case, our EC2 instance

94
00:03:39,840 --> 00:03:42,400
‫cannot read and write to my bucket.

95
00:03:42,400 --> 00:03:43,680
‫Example three.

96
00:03:43,680 --> 00:03:46,320
‫We have an IAM role attached to the EC2 instance

97
00:03:46,320 --> 00:03:49,640
‫and there's no such thing as S3 bucket permissions in it.

98
00:03:49,640 --> 00:03:51,580
‫It's an empty role.

99
00:03:51,580 --> 00:03:53,260
‫And from the S3 bucket policy

100
00:03:53,260 --> 00:03:54,970
‫that's attached to the S3 bucket,

101
00:03:54,970 --> 00:03:57,090
‫there's explicit read write allow

102
00:03:57,090 --> 00:03:59,610
‫to the IAM role used by the EC2 instance.

103
00:03:59,610 --> 00:04:02,660
‫In this case, can our EC2 instance read and write

104
00:04:02,660 --> 00:04:03,960
‫to our bucket?

105
00:04:03,960 --> 00:04:05,480
‫The answer is yes, it can

106
00:04:05,480 --> 00:04:07,770
‫because the union policy, again,

107
00:04:07,770 --> 00:04:10,320
‫has the read write allow from the S3 bucket policy

108
00:04:10,320 --> 00:04:11,590
‫and so our EC2 instance,

109
00:04:11,590 --> 00:04:13,100
‫even though within its IAM role

110
00:04:13,100 --> 00:04:15,770
‫it's not specified that it can do stuff in S3,

111
00:04:15,770 --> 00:04:17,850
‫the S3 bucket policy will still allow this

112
00:04:17,850 --> 00:04:20,783
‫and so our EC2 instance can read and write to my bucket.

113
00:04:21,640 --> 00:04:23,670
‫Last example, the IAM role attached

114
00:04:23,670 --> 00:04:26,040
‫to the EC2 instance has an explicit deny

115
00:04:26,040 --> 00:04:28,670
‫and the S3 bucket allows it, in which case,

116
00:04:28,670 --> 00:04:30,240
‫well then you probably know the answer to that,

117
00:04:30,240 --> 00:04:32,610
‫the EC2 instance cannot read and write to my bucket

118
00:04:32,610 --> 00:04:34,830
‫because of that explicit deny.

119
00:04:34,830 --> 00:04:37,220
‫So hopefully through those four examples

120
00:04:37,220 --> 00:04:40,530
‫it makes it more clear about how policies are evaluated

121
00:04:40,530 --> 00:04:43,413
‫when you have both an IAM role and an S3 bucket policy.

122
00:04:44,380 --> 00:04:46,910
‫Now let's consider another advanced IAM concept

123
00:04:46,910 --> 00:04:48,550
‫called dynamic policy.

124
00:04:48,550 --> 00:04:50,410
‫So how do you assign, for example,

125
00:04:50,410 --> 00:04:53,500
‫a /home/ user folder in an S3 bucket,

126
00:04:53,500 --> 00:04:58,030
‫such as each user in your IAM organization

127
00:04:58,030 --> 00:04:59,350
‫will have their own folder

128
00:04:59,350 --> 00:05:01,270
‫and can read and write to it only?

129
00:05:01,270 --> 00:05:02,340
‫Option one is, for example,

130
00:05:02,340 --> 00:05:05,330
‫you can create an IAM policy allowing your Georges

131
00:05:05,330 --> 00:05:07,890
‫to have access to /home/georges.

132
00:05:07,890 --> 00:05:10,140
‫Maybe you create another IAM policy

133
00:05:10,140 --> 00:05:11,970
‫allowing your user Sarah in IAM

134
00:05:11,970 --> 00:05:14,300
‫to have access to /home/sarah.

135
00:05:14,300 --> 00:05:17,380
‫And maybe do this thing for Matt, /home/matt.

136
00:05:17,380 --> 00:05:19,480
‫So you'll have one IAM policy per user

137
00:05:19,480 --> 00:05:21,360
‫and every time you add a new user,

138
00:05:21,360 --> 00:05:23,650
‫you will have to create an IAM policy

139
00:05:23,650 --> 00:05:26,140
‫allowing them access to their own home directory.

140
00:05:26,140 --> 00:05:28,170
‫So this doesn't scale obviously, right?

141
00:05:28,170 --> 00:05:30,110
‫Option two is, as you can expect,

142
00:05:30,110 --> 00:05:32,010
‫using dynamic policy in IAM

143
00:05:32,010 --> 00:05:33,750
‫and just creating one of them.

144
00:05:33,750 --> 00:05:36,680
‫And you will leverage a special policy variable

145
00:05:36,680 --> 00:05:39,930
‫called ${aws:username}.

146
00:05:39,930 --> 00:05:42,410
‫And this at runtime, because it's dynamic,

147
00:05:42,410 --> 00:05:46,280
‫will be replaced by the value of the AWS username.

148
00:05:46,280 --> 00:05:48,560
‫So now what you can do is that if you want

149
00:05:48,560 --> 00:05:51,360
‫to allow your user to write to their own folder,

150
00:05:51,360 --> 00:05:54,570
‫you can just have this very simple dynamic policy

151
00:05:54,570 --> 00:05:57,300
‫in which you say, and you can attach this to all users,

152
00:05:57,300 --> 00:05:59,190
‫you're saying that you have the right

153
00:05:59,190 --> 00:06:04,033
‫to access /home/${aws:username}

154
00:06:04,900 --> 00:06:06,680
‫And that's it, very simple

155
00:06:06,680 --> 00:06:09,250
‫but now that you know that dynamic policies

156
00:06:09,250 --> 00:06:11,760
‫and dynamic variables exist within IAM,

157
00:06:11,760 --> 00:06:14,160
‫it expands the possibilities of IAM so much.

158
00:06:14,160 --> 00:06:17,060
‫The idea is that you don't want to have one policy per user,

159
00:06:17,060 --> 00:06:19,310
‫you want to have one policy for every user

160
00:06:19,310 --> 00:06:21,940
‫yet that is customized on a per user basis,

161
00:06:21,940 --> 00:06:25,143
‫thanks to the replacement dynamically of the AWS username.

162
00:06:26,050 --> 00:06:28,310
‫Last but not least, let's talk about the difference

163
00:06:28,310 --> 00:06:30,620
‫between inline and managed policy.

164
00:06:30,620 --> 00:06:32,650
‫So there's three kind of policy in AWS.

165
00:06:32,650 --> 00:06:34,850
‫There's the AWS managed policy

166
00:06:34,850 --> 00:06:37,800
‫and as the name indicates, they're maintained by AWS,

167
00:06:37,800 --> 00:06:39,250
‫you don't have any control over them

168
00:06:39,250 --> 00:06:41,790
‫and they're good if you want to define power users

169
00:06:41,790 --> 00:06:44,760
‫or administrators or based on job functions.

170
00:06:44,760 --> 00:06:47,110
‫And they will updated by AWS

171
00:06:47,110 --> 00:06:48,810
‫in case they create new services

172
00:06:48,810 --> 00:06:50,750
‫or they introduce new APIs.

173
00:06:50,750 --> 00:06:52,180
‫So they're very helpful

174
00:06:52,180 --> 00:06:54,290
‫if you want to have your administrators, for example,

175
00:06:54,290 --> 00:06:56,240
‫and we've been using those all along.

176
00:06:56,240 --> 00:06:58,410
‫Then you have customer managed policy.

177
00:06:58,410 --> 00:07:01,560
‫This time, it's you who create these policies

178
00:07:01,560 --> 00:07:02,980
‫and it's best practice to use them

179
00:07:02,980 --> 00:07:04,780
‫if you want to have more granular control.

180
00:07:04,780 --> 00:07:06,900
‫They will be reusable, they can be applied

181
00:07:06,900 --> 00:07:08,780
‫to as many principles as you want.

182
00:07:08,780 --> 00:07:09,970
‫They will have version control,

183
00:07:09,970 --> 00:07:11,900
‫you'll be able to rollback these policies

184
00:07:11,900 --> 00:07:13,270
‫if you want to in time.

185
00:07:13,270 --> 00:07:14,660
‫There is a central change management

186
00:07:14,660 --> 00:07:16,850
‫so you can see who did what and whom.

187
00:07:16,850 --> 00:07:20,030
‫And they're great and by the AWS documentation

188
00:07:20,030 --> 00:07:22,060
‫they are best practice.

189
00:07:22,060 --> 00:07:24,470
‫Finally, you have inline policy

190
00:07:24,470 --> 00:07:27,960
‫and the inline policies are directly within a principle.

191
00:07:27,960 --> 00:07:29,650
‫They're strict one-to-one relationship

192
00:07:29,650 --> 00:07:31,490
‫between the policy and the principle.

193
00:07:31,490 --> 00:07:33,730
‫They're not version control, you cannot roll them back,

194
00:07:33,730 --> 00:07:35,920
‫you cannot really alter them very easily.

195
00:07:35,920 --> 00:07:38,420
‫And if you delete the IAM principle,

196
00:07:38,420 --> 00:07:40,272
‫the policy will be deleted.

197
00:07:40,272 --> 00:07:43,680
‫So remember the differences between these three.

198
00:07:43,680 --> 00:07:46,560
‫Let me just show you how they are in the IAM console.

199
00:07:46,560 --> 00:07:49,010
‫So here I am in AWS IAM.

200
00:07:49,010 --> 00:07:51,500
‫And so on the left-hand side, I can click on Policies

201
00:07:51,500 --> 00:07:53,480
‫and here I'm able to see all the policies

202
00:07:53,480 --> 00:07:55,080
‫that have been created.

203
00:07:55,080 --> 00:07:59,050
‫So I can filter them maybe by AWS managed policy

204
00:07:59,050 --> 00:08:00,700
‫and here we go, we can for example see

205
00:08:00,700 --> 00:08:02,850
‫that this one is AlexaForBusinessFullAccess

206
00:08:03,860 --> 00:08:05,988
‫or AlexaForBusinessReadOnlyAccess

207
00:08:05,988 --> 00:08:08,280
‫and you have those for pretty much every single service.

208
00:08:08,280 --> 00:08:11,830
‫So if I typed DynamoDB, I see all these kind of policies.

209
00:08:11,830 --> 00:08:14,139
‫We have DynamoDBFullAccess,

210
00:08:14,139 --> 00:08:16,285
‫DynamoDBFullAccesswithDataPipeline,

211
00:08:16,285 --> 00:08:18,960
‫ReadOnlyAccess, Autoscaling, Lambda,

212
00:08:18,960 --> 00:08:21,030
‫all that stuff, and the ReplicationService.

213
00:08:21,030 --> 00:08:23,390
‫So we can very quickly see all the policies

214
00:08:23,390 --> 00:08:26,620
‫and as you can see, those are AWS managed.

215
00:08:26,620 --> 00:08:29,480
‫You can also see your customer managed policies

216
00:08:29,480 --> 00:08:30,313
‫and they're the one,

217
00:08:30,313 --> 00:08:31,800
‫and let me remove the filter,

218
00:08:31,800 --> 00:08:34,820
‫they're the one that we have created through this course.

219
00:08:34,820 --> 00:08:38,030
‫So we have some CodeBuilds, CodePipeline, Lamda and so on

220
00:08:38,030 --> 00:08:40,000
‫and these are customer managed.

221
00:08:40,000 --> 00:08:41,960
‫So if I click on one of those, for example,

222
00:08:41,960 --> 00:08:43,320
‫I can see the permissions

223
00:08:43,320 --> 00:08:45,730
‫and I could see the version, the policy version

224
00:08:45,730 --> 00:08:47,890
‫so in this case there's only one version

225
00:08:47,890 --> 00:08:49,610
‫and I can see the policy usage,

226
00:08:49,610 --> 00:08:51,900
‫meaning what is using this policy.

227
00:08:51,900 --> 00:08:54,030
‫So it makes it very easy and auditable

228
00:08:54,030 --> 00:08:56,350
‫and customizable at the very same time.

229
00:08:56,350 --> 00:08:57,860
‫Finally, there's inline policy

230
00:08:57,860 --> 00:08:59,910
‫and you will not find them here.

231
00:08:59,910 --> 00:09:02,790
‫You will find them in your Users, in my name

232
00:09:02,790 --> 00:09:04,090
‫and here on the right-hand side,

233
00:09:04,090 --> 00:09:07,140
‫I'm able to add an inline policy through the service,

234
00:09:07,140 --> 00:09:11,460
‫for example EC2, and give myself list permissions.

235
00:09:11,460 --> 00:09:12,390
‫Now I want to show you something

236
00:09:12,390 --> 00:09:13,770
‫so I'll say, "Okay, list permissions."

237
00:09:13,770 --> 00:09:15,870
‫And there's 95 of those selected

238
00:09:15,870 --> 00:09:17,080
‫and this is excellent.

239
00:09:17,080 --> 00:09:19,520
‫On the Resources, I don't need to specify any resource.

240
00:09:19,520 --> 00:09:21,050
‫So I click on Review policy

241
00:09:21,050 --> 00:09:23,050
‫and I'll call this MyInlinePolicy

242
00:09:25,250 --> 00:09:26,430
‫and click on Create policy

243
00:09:26,430 --> 00:09:27,780
‫and something you'll notice right here

244
00:09:27,780 --> 00:09:29,760
‫is that I cannot create this

245
00:09:29,760 --> 00:09:33,270
‫because my policy max bytes is two kilobytes

246
00:09:33,270 --> 00:09:34,960
‫and it's been exceeded for this user

247
00:09:34,960 --> 00:09:36,580
‫so by using an inline policy

248
00:09:36,580 --> 00:09:38,020
‫you're actually not able to specify

249
00:09:38,020 --> 00:09:39,410
‫many many different things.

250
00:09:39,410 --> 00:09:41,250
‫So in this case, if we go previously

251
00:09:41,250 --> 00:09:42,440
‫and look at the JSON,

252
00:09:42,440 --> 00:09:44,060
‫as you can see there's a lot of different text

253
00:09:44,060 --> 00:09:46,370
‫and that probably goes over two kilobytes

254
00:09:46,370 --> 00:09:48,110
‫so I cannot use this policy.

255
00:09:48,110 --> 00:09:50,390
‫Instead I could, instead of using List,

256
00:09:50,390 --> 00:09:52,320
‫select one of these attributes

257
00:09:52,320 --> 00:09:54,750
‫and now hopefully my inline policy will work.

258
00:09:54,750 --> 00:09:55,720
‫Yes, it has worked.

259
00:09:55,720 --> 00:09:56,860
‫And as we can see now,

260
00:09:56,860 --> 00:10:00,210
‫I have now attached to my own user MyInlinePolicy

261
00:10:00,210 --> 00:10:01,790
‫which is an inline policy.

262
00:10:01,790 --> 00:10:04,260
‫And from there it is actually linked to my user

263
00:10:04,260 --> 00:10:05,710
‫but as you can see it's not very handy,

264
00:10:05,710 --> 00:10:08,940
‫not very auditable and it has some restrictions in size.

265
00:10:08,940 --> 00:10:10,840
‫So that's it, I hope that was helpful.

266
00:10:10,840 --> 00:10:12,370
‫I hope you learned a lot in IAM

267
00:10:12,370 --> 00:10:15,340
‫and that you'll use those concepts accordingly

268
00:10:15,340 --> 00:10:17,290
‫and I will see you in the next lecture.