amazon web services - AWS IAM applicable policies and attached entities -
after asking this question did digging , found couple of policies with:
{ "effect":"allow", "action":"*", "resource":"*" }
in them.
reading through policies evaluation logic page again second step stands out me:
- evaluate applicable policies.
the first part of question is: how aws determine policies applicable? understanding done looking @ principle and/or resource keys.
but: in iam these policies have attached entities understanding same principles. gets second part of question: what attached entity policy? far understand tell aws policy applicable role, not understand how works "resource":"*"
in policy.
so:
- how aws determine policies applicable?
- what attached entity policy?
- makes
"resource":"*"
policy applicable?
1> while making request (either using access keys or console), passing username/role name. let's accessing api using iam user. so, aws check policy attached user, policy attached iam group (if any). also, checks if there resource based policy e.g. s3 bucket policy, sns topic policy determined resource in request.
2> policy nothing if don't attach iam entity or resources (for resource based policy). attached entity (i think referring iam entities) used decide principal , in turns tells check permission (whether iam user, check iam group membership etc.).
3> resource:* means policy gives permission aws resources. policy have mentioned translate: allow ("effect":"allow") every action ("action":"") on every resources ("resource":"").
hope helps..
Comments
Post a Comment