Learn how to troubleshoot IAM policies with the AWS Policy Simulator. Given that multiple IAM policies can be associated with a given IAM role, group, or user, the ability to simulate, test, and debug IAM policies is useful. Caution must be exercised when making changes to policies via the Policy Simulator, as those changes take immediate effect.
- [Instructor] Remember when we created…the SBN devops admin elevated role?…For simplicity's sake,…we attached the AWS managed administrator policy.…While convenient at the time, it's not the best way to go.…Let's explore why.…Here we are looking at the screen that defines…what that role can do.…On the Permissions tab,…we can see that the only policy attached…is the administrator access policy.…I'm going to click on the blue Show Policy link…to explore what that policy actually looks like.…
Clicking on the link displays the JSON,…which defines the administrator access policy.…It's power lies in it's simplicity.…The fact that the action and resource segments…of this policy both have an asterisk…indicate that this policy has the effect of allowing…any action on any resource within the AWS account.…If this is the only policy assigned to a group…with no explicit deny actions in place,…any service within AWS can be altered.…This includes everything…from creating virtual private clouds,…to deleting a single s3 object.…
Sharif Nijim couples pragmatic advice with practical examples that educate IT pros on how to create a secure infrastructure within Amazon Web Services. Sharif explores the shared responsibility model of security, which splits duties between your company and AWS, and introduces key identity and access management concepts, including users, groups, roles, and policies. Learn how to configure Identity and Access Manager (IAM) and Simple Storage Service (S3) access management, including policies and access control lists. At the end of the course, Sharif helps you prepare for the inevitable audit of your AWS account(s).
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
- The AWS shared responsibility model and security landscape
- Enabling CloudTrail
- Configuring AWS Identity and Access Management (IAM)
- Configuring IAM users, groups, and policies
- Granting temporary access
- Controlling access to Simple Storage Service (S3)
- Preparing for security audits
- Getting audit help from Trusted Advisor