1
00:00:00,450 --> 00:00:01,470
So let's have a look now

2
00:00:01,470 --> 00:00:02,850
at the fundamental differences

3
00:00:02,850 --> 00:00:05,939
between IAM Roles and Resource Based Policies.

4
00:00:05,939 --> 00:00:08,189
So for cross accounts especially

5
00:00:08,189 --> 00:00:10,260
when you want to perform an API call

6
00:00:10,260 --> 00:00:13,380
on an S3 bucket cross account, you have two options.

7
00:00:13,380 --> 00:00:16,200
You can attach a resource based policy to a resource,

8
00:00:16,200 --> 00:00:19,410
for example, an S3 bucket policy on an S3 bucket

9
00:00:19,410 --> 00:00:21,930
or you can decide to use a role that can actually

10
00:00:21,930 --> 00:00:23,490
access the resource.

11
00:00:23,490 --> 00:00:25,860
Let's take an example as these two options.

12
00:00:25,860 --> 00:00:28,590
This is the example where the user in Account A

13
00:00:28,590 --> 00:00:30,780
can assume a role in Account B

14
00:00:30,780 --> 00:00:32,310
and that role has the permissions to

15
00:00:32,310 --> 00:00:35,190
access your Amazon S3 buckets

16
00:00:35,190 --> 00:00:38,520
or similarly the user in Account A,

17
00:00:38,520 --> 00:00:40,890
through a bucket policy placed

18
00:00:40,890 --> 00:00:43,470
on the Amazon S3 bucket in Account B,

19
00:00:43,470 --> 00:00:45,600
can access the S3 buckets.

20
00:00:45,600 --> 00:00:48,000
Both of these two situations are valid

21
00:00:48,000 --> 00:00:49,890
but there is a little bit of difference.

22
00:00:49,890 --> 00:00:51,180
The first one is IAM role

23
00:00:51,180 --> 00:00:53,100
that has access to the S3 bucket.

24
00:00:53,100 --> 00:00:56,460
The second one is the S3 bucket policy that allows the user.

25
00:00:56,460 --> 00:00:58,560
So what's the difference?

26
00:00:58,560 --> 00:01:00,451
When you actually assume a role

27
00:01:00,451 --> 00:01:04,080
you actually give up all your original permissions

28
00:01:04,080 --> 00:01:07,110
and you take all the permissions assigned to the role.

29
00:01:07,110 --> 00:01:10,710
This is very important. This means that we, for example,

30
00:01:10,710 --> 00:01:13,350
assume a role, and this role can do whatever.

31
00:01:13,350 --> 00:01:15,210
We can now do anything that the role does

32
00:01:15,210 --> 00:01:18,320
but we cannot use our original permissions.

33
00:01:18,320 --> 00:01:21,107
When you use a resource based policy instead

34
00:01:21,107 --> 00:01:24,060
the principle does not assume a role

35
00:01:24,060 --> 00:01:27,099
and therefore it does not have to give up his permissions.

36
00:01:27,099 --> 00:01:30,750
If you take an example of user in Account A,

37
00:01:30,750 --> 00:01:33,330
they need to scan a DynamoDB table in Account A

38
00:01:33,330 --> 00:01:36,240
and then that fits in an S3 bucket in Account B.

39
00:01:36,240 --> 00:01:40,260
What they can do is, we should use a resource based policy

40
00:01:40,260 --> 00:01:42,300
because this way we don't have to assume a role

41
00:01:42,300 --> 00:01:45,090
and we can both scan the DynamoDB table

42
00:01:45,090 --> 00:01:48,390
and write to an S3 bucket in other accounts.

43
00:01:48,390 --> 00:01:50,760
Resource based policies are supported

44
00:01:50,760 --> 00:01:54,990
by more and more AWS services and resources over time.

45
00:01:54,990 --> 00:01:58,740
We have the Amazon S3 buckets, the SNS topics,

46
00:01:58,740 --> 00:02:02,040
SQS topics, the Lambda functions, and so on.

47
00:02:02,040 --> 00:02:04,830
A big difference of where this comes into play

48
00:02:04,830 --> 00:02:06,873
is when you use Amazon EventBridge.

49
00:02:07,710 --> 00:02:09,670
Amazon EventBridge has rules, and these rules

50
00:02:09,670 --> 00:02:14,310
need permission to do whatever it wants to do on the target.

51
00:02:14,310 --> 00:02:17,340
We have two kinds of targets.

52
00:02:17,340 --> 00:02:20,490
We have the targets that supports resource based policy

53
00:02:20,490 --> 00:02:24,900
such as Lambda, SNS, SQS, CloudWatch Logs, API Gateway

54
00:02:24,900 --> 00:02:25,800
and so on.

55
00:02:25,800 --> 00:02:27,780
And in that case, what you should be doing is

56
00:02:27,780 --> 00:02:30,600
that you should change the target resource

57
00:02:30,600 --> 00:02:33,150
to have a resource based policy that allows

58
00:02:33,150 --> 00:02:36,270
the EventBridge rule to do whatever it needs to do.

59
00:02:36,270 --> 00:02:40,230
The second option is for example, for Kinesis data streams

60
00:02:40,230 --> 00:02:44,100
or Systems Manager Run Command, or starting an ECS task

61
00:02:44,100 --> 00:02:46,050
then you need to have an IAM role.

62
00:02:46,050 --> 00:02:49,470
So the IAM role will be attached to the EventBridge rule

63
00:02:49,470 --> 00:02:52,560
and will have the permissions to write to Kenesis.

64
00:02:52,560 --> 00:02:54,308
So you may ask me, how do I know?

65
00:02:54,308 --> 00:02:56,730
By looking at the documentation

66
00:02:56,730 --> 00:02:58,500
but from an exam perspective

67
00:02:58,500 --> 00:03:01,140
all the information you need to know is on these slides.

68
00:03:01,140 --> 00:03:06,140
Remember, SNS, SQS, Lambda, are for resource based policies

69
00:03:06,480 --> 00:03:10,500
and Kenesis data streams especially, is using an IAM role.

70
00:03:10,500 --> 00:03:12,180
Okay, that's it for this lecture.

71
00:03:12,180 --> 00:03:15,130
I hope you liked it and I will see you in the next lecture.