AWS IAM Roles vs Resource Based Policies
AWS allows granting cross-account access to AWS resources, which can be done using IAM Roles or Resource Based policies
- Roles can be created to act as a proxy to allow users or services to access resources
- Roles supports trust policy which helps determine who can access the resources and permission policy which helps to determine what they can access
- User who assumes a role temporarily gives up his or her own permissions and instead takes on the permissions of the role. When the user exits, or stops using the role, the original user permissions are restored.
- Roles can be used to provision access to almost all the AWS resources
- Permissions provided to the User through the Role can be further restricted per user by passing optional policy to the STS request. This policy cannot be used to elevate privileges beyond what the assumed role is allowed to access
Resource based Policies
- Resource based policy allows you to attach a policy directly to the resource that you want to share, instead of using a role as a proxy.
- Resource-based policy specifies who, as a Principal in the form of a list of AWS account ID numbers, can access that resource and what they can access
- With Cross-account access with a resource-based policy, User still works in the trusted account and does not have to give up her user permissions in place of the role permissions.
- User can work on the resources from both the accounts at the same time and this can be useful for scenarios for e.g. copying of objects from one bucket to the other
- Resource that you want to share are limited to resources which support resource-based policies
- Amazon S3 allows you to define Bucket policy to grant access to the bucket and the objects
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon Glacier Vaults
- AWS OpsWorks stacks
- AWS Lambda functions
- Resource based policies need the trusted account to create users with permissions to be able to access the resources from the trusting account
- Only permissions equivalent to, or less than, the permissions granted to your account by the resource owning account can be delegated
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- What are the two permission types used by AWS?
- Resource-based and Product-based
- Product-based and Service-based
- User-based and Resource-based
- What’s the policy used for cross account access? (Choose 2)
- Trust policy
- Permissions Policy
- Key policy