added info

This commit is contained in:
Stefan Friese 2024-02-13 00:04:26 +01:00
parent 288131e103
commit 110acc6fb7
1 changed files with 17 additions and 3 deletions

View File

@ -87,10 +87,10 @@ shared between people, everyone has full root access.
Policies are an authorization measurement. After authentication of a user (or
principal) policies of the account are checked if the request is allowed.
A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html).
A policy may also be attached to a resource. Policy evaluation can be found in the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html). There are resource and identity based policies.
```sh
aws iam get-policy
aws iam get-policy --policy-arn <ARN>
```
Policy details consists of the following [example](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html)
@ -108,6 +108,14 @@ aws iam get-policy
}
```
Policy enforcement is done via the `Effect` keys and either has `allow` or `deny` keys set in the JSON object. Deny is default.
The `Action` keyword contains a Service and an API keyword on on that service in the scheme `<servicename>:<APIKeyword>`.
The Resource key contains the ARN of the resource the policy is set for.
The `Principal` key is only set for resource policies and contains the principal who is able to act on the resource. For example a `*` value allows public access.
The following graph is taken from the documentation, it shows the evaluation
logic inside an account
@ -118,7 +126,7 @@ A principal can have multiple policies attached.
Policies like `assume-role` and `switch-role` can lead to the gain of roles
with higher permissions
A `*` inside a policy represents every principal. Set the `*` to make an instance of a service
A `*` inside a policy represents every principal. Set the `*` to make an instance of a service
public through the Internet.
Administrator access policies can be queried to see who has elevated permissions.
@ -336,6 +344,12 @@ Download via `curl`, `wget` or `s3` cli via
aws s3 cp s3://<bucketname>/foo_public.xml . --no-sign-request
```
#### S3 Policies
```sh
aws s3api get-bucket-policy --bucket <bucketname>--query Policy --output text
```
#### ACL
If the ACL is set to