1
00:00:00,030 --> 00:00:01,859
Okay, so let's get into some

2
00:00:01,859 --> 00:00:03,960
advanced concepts for IAM.

3
00:00:03,960 --> 00:00:05,430
The first thing I wanna talk to you about

4
00:00:05,430 --> 00:00:07,080
is IAM Conditions.

5
00:00:07,080 --> 00:00:08,760
So what are IAM conditions?

6
00:00:08,760 --> 00:00:11,100
They are a way to make your IAM policies

7
00:00:11,100 --> 00:00:15,360
a bit more restrictive, based on a condition.

8
00:00:15,360 --> 00:00:18,030
So let's have different looks at different conditions

9
00:00:18,030 --> 00:00:19,830
that can come up in the exam.

10
00:00:19,830 --> 00:00:23,040
The first one is aws:SourceIP,

11
00:00:23,040 --> 00:00:26,100
which is to restrict the client IP

12
00:00:26,100 --> 00:00:29,610
from where the API calls are being made.

13
00:00:29,610 --> 00:00:31,350
So in this example, there is a

14
00:00:31,350 --> 00:00:33,090
Deny star, Resource star.

15
00:00:33,090 --> 00:00:36,900
So deny everything, condition not IP address

16
00:00:36,900 --> 00:00:39,570
is within these two IP ranges.

17
00:00:39,570 --> 00:00:42,270
So if we translate this into plain English,

18
00:00:42,270 --> 00:00:45,870
that means deny anything that does not come from

19
00:00:45,870 --> 00:00:49,050
these two source IP ranges.

20
00:00:49,050 --> 00:00:50,370
And so what this means is that,

21
00:00:50,370 --> 00:00:52,560
we are don't deny everything all the time

22
00:00:52,560 --> 00:00:54,360
we'll just deny it if they don't come

23
00:00:54,360 --> 00:00:56,310
from a predefined list of IPs.

24
00:00:56,310 --> 00:00:59,220
And this is probably for enhanced security.

25
00:00:59,220 --> 00:01:00,630
So what you have to remember here

26
00:01:00,630 --> 00:01:02,290
is that the aws:SourceIP

27
00:01:03,660 --> 00:01:07,710
is re-meaning the IP of the client,

28
00:01:07,710 --> 00:01:11,280
making the API call into AWS, okay?

29
00:01:11,280 --> 00:01:12,113
So this is what it means.

30
00:01:12,113 --> 00:01:17,113
The IP of the client, where the calls are being made.

31
00:01:17,190 --> 00:01:20,460
Next, we have AWS:RequestedRegion,

32
00:01:20,460 --> 00:01:24,780
which is to restrict the region the API calls are made to.

33
00:01:24,780 --> 00:01:27,510
So this example of an IAM policy

34
00:01:27,510 --> 00:01:29,760
is called Allow Only inside the EU,

35
00:01:29,760 --> 00:01:31,380
which you probably know what it means,

36
00:01:31,380 --> 00:01:33,240
and the effect is Allow.

37
00:01:33,240 --> 00:01:36,150
Actions is EC2 star, RDS star, dynamic DB star.

38
00:01:36,150 --> 00:01:39,150
So anything on these three services, resource stars.

39
00:01:39,150 --> 00:01:41,220
So any resources within these three services

40
00:01:41,220 --> 00:01:42,390
should be allowed.

41
00:01:42,390 --> 00:01:46,530
Conditions are only if strings equal, requested region,

42
00:01:46,530 --> 00:01:49,290
EU central one, or EU west one.

43
00:01:49,290 --> 00:01:52,200
So this means if you are making an API call

44
00:01:52,200 --> 00:01:54,570
on these services on anything

45
00:01:54,570 --> 00:01:57,450
and it has to come from these requested regions.

46
00:01:57,450 --> 00:02:00,960
So either EU central one, or EU west one, then accept it.

47
00:02:00,960 --> 00:02:03,810
Otherwise, if it comes from the US or anything like this

48
00:02:03,810 --> 00:02:04,950
then don't accept it.

49
00:02:04,950 --> 00:02:07,410
So here, thanks to the AWS requested region,

50
00:02:07,410 --> 00:02:10,289
we don't see where the client is located,

51
00:02:10,289 --> 00:02:13,740
we see where the client is trying to make an API call to.

52
00:02:13,740 --> 00:02:15,570
So that means the client can only operate

53
00:02:15,570 --> 00:02:18,210
an EU west one or EU central one.

54
00:02:18,210 --> 00:02:19,380
So very good.

55
00:02:19,380 --> 00:02:22,050
Next, we have restriction based on tags.

56
00:02:22,050 --> 00:02:24,090
So we are able to say, okay,

57
00:02:24,090 --> 00:02:27,450
you can start and stop your EC2 instances,

58
00:02:27,450 --> 00:02:30,810
only and only if your project is data analytics

59
00:02:30,810 --> 00:02:32,700
and your department is data,

60
00:02:32,700 --> 00:02:36,090
and that's for the resource tag of your EC2 instance

61
00:02:36,090 --> 00:02:38,730
and the principle tag of your user.

62
00:02:38,730 --> 00:02:43,650
So we are able to have tag based security in AWS.

63
00:02:43,650 --> 00:02:45,450
And one last that's pretty cool.

64
00:02:45,450 --> 00:02:48,240
We can force multifactor authentication.

65
00:02:48,240 --> 00:02:51,240
So we're saying, "Okay, you can stop instances

66
00:02:51,240 --> 00:02:54,120
and terminate instances only if you have

67
00:02:54,120 --> 00:02:55,920
multifactor authentication present".

68
00:02:55,920 --> 00:02:58,080
So deny if you don't have it.

69
00:02:58,080 --> 00:03:01,560
So these are some really cool and insightful conditions.

70
00:03:01,560 --> 00:03:03,630
The very good thing about IAM policies is that you

71
00:03:03,630 --> 00:03:05,190
can usually read them out loud

72
00:03:05,190 --> 00:03:06,960
by just seeing what is written,

73
00:03:06,960 --> 00:03:09,360
but you should know that the source IP

74
00:03:09,360 --> 00:03:11,280
is for where the client is located

75
00:03:11,280 --> 00:03:14,460
and the requested region is where you're trying

76
00:03:14,460 --> 00:03:16,410
to make request to.

77
00:03:16,410 --> 00:03:19,560
Okay, so now let's look into IAM for S3.

78
00:03:19,560 --> 00:03:22,380
So here is a very specific IAM policy

79
00:03:22,380 --> 00:03:23,760
that you'll see many times.

80
00:03:23,760 --> 00:03:24,593
So in this one,

81
00:03:24,593 --> 00:03:27,690
we allow list buckets on this resource

82
00:03:27,690 --> 00:03:29,670
and this bucket which is called Test,

83
00:03:29,670 --> 00:03:32,190
and we'll see allow, put object, get object,

84
00:03:32,190 --> 00:03:34,980
and delete objects on this bucket test.

85
00:03:34,980 --> 00:03:38,160
But this time there's a slash and then the star afterwards.

86
00:03:38,160 --> 00:03:40,230
So let's see what that means and why.

87
00:03:40,230 --> 00:03:43,770
So list buckets is a permission that applies

88
00:03:43,770 --> 00:03:45,630
to the bucket test.

89
00:03:45,630 --> 00:03:50,630
And as such the ARN is ARN AWS S3 test,

90
00:03:50,700 --> 00:03:52,770
because that's where our bucket is.

91
00:03:52,770 --> 00:03:54,690
This is a bucket level permission.

92
00:03:54,690 --> 00:03:58,410
And so there's no trailing slash it's just the bucket name.

93
00:03:58,410 --> 00:04:02,400
But get object, put object, and delete object

94
00:04:02,400 --> 00:04:05,100
applies to anything within the bucket.

95
00:04:05,100 --> 00:04:07,020
And so therefore the ARN

96
00:04:07,020 --> 00:04:08,760
the resource you should consider

97
00:04:08,760 --> 00:04:12,930
is the name of the bucket slash and then a star

98
00:04:12,930 --> 00:04:16,320
because this applies to all the objects within the bucket.

99
00:04:16,320 --> 00:04:17,820
So this is the star you see

100
00:04:17,820 --> 00:04:19,890
on the bottom right of your screen.

101
00:04:19,890 --> 00:04:23,160
This is because it says the put object, get object,

102
00:04:23,160 --> 00:04:27,360
and delete object applies to any object within your bucket.

103
00:04:27,360 --> 00:04:28,650
And so that is very important.

104
00:04:28,650 --> 00:04:30,390
This is an object level permission

105
00:04:30,390 --> 00:04:33,060
and before it was a bucket level permission.

106
00:04:33,060 --> 00:04:33,960
So this is very important

107
00:04:33,960 --> 00:04:35,310
when you design your IAM policies

108
00:04:35,310 --> 00:04:37,380
to understand the differences between the two,

109
00:04:37,380 --> 00:04:38,850
and to be able to understand

110
00:04:38,850 --> 00:04:41,250
why sometimes there is a trailing slash and a star

111
00:04:41,250 --> 00:04:42,840
and why sometimes there is not.

112
00:04:42,840 --> 00:04:44,790
And hopefully that makes it very clear.

113
00:04:44,790 --> 00:04:46,860
So what is the difference between an IAM role

114
00:04:46,860 --> 00:04:48,990
and a resource based policy?

115
00:04:48,990 --> 00:04:50,760
So for example, if we take a resource, for example

116
00:04:50,760 --> 00:04:52,260
in the S3 bucket policy,

117
00:04:52,260 --> 00:04:54,240
what is the difference if we use an S3 bucket policy

118
00:04:54,240 --> 00:04:57,600
versus using a role as a proxy to access an S3 bucket.

119
00:04:57,600 --> 00:04:59,670
So let's assume the user is in Account A,

120
00:04:59,670 --> 00:05:02,520
and the Amazon S3 bucket is in Account B,

121
00:05:02,520 --> 00:05:04,140
and we want to access it.

122
00:05:04,140 --> 00:05:06,990
Option number one is to create a role in the Account B,

123
00:05:06,990 --> 00:05:09,120
assume that role using STS.

124
00:05:09,120 --> 00:05:10,740
And then by assuming that role in Account B,

125
00:05:10,740 --> 00:05:13,020
we will be able to issue API calls

126
00:05:13,020 --> 00:05:15,750
against the Amazon S3 bucket in Account B.

127
00:05:15,750 --> 00:05:18,210
The other option is to use the same bucket

128
00:05:18,210 --> 00:05:21,000
and create an S3 bucket policy that allows directly

129
00:05:21,000 --> 00:05:23,310
the user accounts from Account A

130
00:05:23,310 --> 00:05:25,260
to access the Amazon S3 bucket.

131
00:05:25,260 --> 00:05:26,490
So they look similar,

132
00:05:26,490 --> 00:05:28,530
but they're actually a little bit different.

133
00:05:28,530 --> 00:05:30,750
When you assume a role would be a user,

134
00:05:30,750 --> 00:05:32,100
an application, or a service,

135
00:05:32,100 --> 00:05:34,260
you are going to give up your original permissions

136
00:05:34,260 --> 00:05:35,520
and you are going to take the permissions

137
00:05:35,520 --> 00:05:36,960
assigned to the role.

138
00:05:36,960 --> 00:05:39,330
And when using a resource based policy,

139
00:05:39,330 --> 00:05:41,700
your principle doesn't have to give up it's permissions.

140
00:05:41,700 --> 00:05:45,630
And it can just use, go through that resource bucket policy

141
00:05:45,630 --> 00:05:46,590
and not lose the permissions.

142
00:05:46,590 --> 00:05:50,220
So you can do both actions in Account A and Account B.

143
00:05:50,220 --> 00:05:51,840
So for example, if user in Account A

144
00:05:51,840 --> 00:05:54,030
needs to scan a DynamoDB table in Account A

145
00:05:54,030 --> 00:05:56,970
and then dump it into an S3 bucket in Account B,

146
00:05:56,970 --> 00:05:58,440
then there would be some use case

147
00:05:58,440 --> 00:06:00,120
for a resource based policy.

148
00:06:00,120 --> 00:06:01,950
Because if you use an IAM role

149
00:06:01,950 --> 00:06:04,380
to do some stuff in Account B for the S3 buckets,

150
00:06:04,380 --> 00:06:06,960
then you cannot do anything back on your DynamoDB table

151
00:06:06,960 --> 00:06:09,180
in Account A, and that would be a waste.

152
00:06:09,180 --> 00:06:12,480
So what are resource based policy gonna be applied to?

153
00:06:12,480 --> 00:06:16,440
Well, Amazon S3 buckets, SNS topic, SQS queues,

154
00:06:16,440 --> 00:06:18,720
all these things can have resource based policy.

155
00:06:18,720 --> 00:06:21,420
So use wisely and know the difference between the two.