Menu
I am prepping for the Solutions Architect Professional exam and interestingly I came across this use case that a Udemy course is using to explain IAM Policies concepts. The example is trying to answer the question: "How do we deny majority of Actions but allow a small set of Actions, for example when creating a Power User?"
They are using this to explain that NotAction would be useful in this case:
{ {
"Version": "2012-10-17", "Version": "2012-10-17"
"Statement": { "Statement": {
"Effect": "Allow" "Effect": "Allow"
"NotAction": { "Action": {
"iam:*, "iam:CreateServiceLinkedRoles",
"organizations:*", "organization:DescribeOrganizations",
"account:*" "account:ListRegions"
} }
} }
} }
My question is, what purpose does NotAction serve if IAM policies are DENY by default and are OPT-IN to allow access? I mean if they had just given the permissions on the right - then wouldnt those three ALLOWS be all thats allowed (by default nothing is allowed) thus making NotAction policies redundant??
751
The first statement is giving access to all the other AWS services. That is the power-user permissions. For example that statement gives full permission to access EC2, S3, DynamoDB, etc... It gives all permissions for all AWS services Except IAM, Organizations, and Account.
The purpose of that statement isn't to deny access to three services and nothing else. The purpose of that statement is to give access to all the other hundreds of services that AWS provides, without tediously listing them all out, and even being future proof by giving access to new services when new services are added.
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
