chrisdunne.com

Evaluation of Conflicting AWS Policies

I was curious what happens when you have multiple conflicting IAM Policies, does one trump the other?

It turns out that evaluation is made against a union of all policies relating to a resource. As a result, if you have permissions defined for an IAM Principal within an IAM Policy, an S3 policy, and an S3 ACL, all the permissions are combined and evaluated together.

Flow chart representing policy evaluation

Only if no method specifies a DENY and one or more methods specify an ALLOW will the request be allowed.

If you liked this post, you may also be interested in...

Serverless is probably still the best option... feature image

Serverless is probably still the best option...

Recently Serverless architecture sceptics within the tech community came out in full force, in response to an Amazon Prime Video team publishing a blog post titled, "Scaling up the Prime Video audio/video monitoring service and reducing costs by 90%". Although the post was published a few months ago, the past week saw responses from some well known influencers, and as a result the fans of monolithic architecture have been on the offensive.

Using AWS Backup Vault Lock as an immutable denial of wallet attack feature image

Using AWS Backup Vault Lock as an immutable denial of wallet attack

With traditional denial of wallet attacks, it’s a little primitive and chaotic. The tactics are usually centred around creating as many expensive resources as possible before the account owner notices, resulting in potentially significant financial loss. Whereas with AWS Backup Vault Locks, we can assume from the AWS docs that there is no way to rectify an attack targeting immutable backups, besides potentially nuking the account and everything in it.

Scanning AWS Accounts with Aqua Trivy feature image

Scanning AWS Accounts with Aqua Trivy

Aqua Trivy is an open source tool for finding security misconfigurations in our cloud environments. With security misconfiguration sitting at position 5 in the current OWASP top 10, having a tool in our arsenal to detect these security flaws is beneficial. We can also introduce Trivy to our deployment pipelines as a quality gate to prevent security misconfigurations reaching our production environments.