Skip to main content

4. Policy Interpretation Deep Dive

Notes

Every Statement has an allow or a deny Deny - Allow - Deny Note: Explicit deny always wins....over everything

  • Explicit deny over an explicit allow.

Look at the resource, the effect, condition and actions to determine what the policy does.

Ezample:
image.png

Explicit Deny

Everything in AWS is already denied by default. Having an explicit deny on anything does nothing unless there is an explicit allow someplace.

  • NotAction - anything that does NOT match these
  • Resource - scoped to a specific resource
  • Condition - when something matches (watch the NotActions)

Note:

  • Watch global services
  • Watch the number of statements

Exam Hints:

Study: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

  • Allow Deny Allow
  • Explicit Deny rules them all
  • Watch Not actions