AWS IAM Roles vs Resource-Based Policies
AWS allows granting cross-account access to AWS resources, which can be done using IAM Roles or Resource-Based Policies.
IAM Roles
- Roles can be created to act as a proxy to allow users or services to access resources.
- Roles support
- trust policy which helps determine who can access the resources and
- permission policy which helps to determine what they can access.
- Users who assume a role temporarily give up their own permissions and instead take on the permissions of the role. The original user permissions are restored when the user exits or stops using the role.
- Roles can be used to provide access to almost all the AWS resources.
- Permissions provided to the User through the Role can be further restricted per user by passing an optional policy to the STS request. This policy cannot be used to elevate privileges beyond what the assumed role is allowed to access
Resource-based Policies
- Resource-based policy allows you to attach a policy directly to the resource you want to share, instead of using a role as a proxy.
- Resource-based policy specifies the Principal, in the form of a list of AWS account ID numbers, can access that resource and what they can access.
- Using cross-account access with a resource-based policy, the User still works in the trusted account and does not have to give up their permissions in place of the role permissions.
- Users can work on the resources from both accounts at the same time and this can be useful for scenarios e.g. copying objects from one bucket to the other bucket in a different AWS account.
- Resources that you want to share are limited to resources that support resource-based policies
- S3 allows you to define Bucket policy to grant access to the bucket and the objects
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Glacier Vaults
- OpsWorks stacks
- Lambda functions
- Resource-based policies need the trusted account to create users with permissions to be able to access the resources from the trusted account.
- Only permissions equivalent to, or less than, the permissions granted to your account by the resource owning account can be delegated.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- What are the two permission types used by AWS?
- Resource-based and Product-based
- Product-based and Service-based
- Service-based
- User-based and Resource-based
- What’s the policy used for cross-account access? (Choose 2)
- Trust policy
- Permissions Policy
- Key policy