IAM Pulse Check #11 - A New Perspective
Making sense of the AWS IAM policy evaluation logic
In the weeks leading up to AWS re:Invent, the content teams often sprinkle a few notable tidbits here and there, saving the big stuff for the main event. Sometimes it’s a teaser for an upcoming product release, other times it’s getting in front of something that they know will be in focus. Either way, it’s fun (but futile) to speculate what they’ll announce.
For IAM, one element of note is an update to the commonly referenced Policy Evaluation Logic diagram – seemingly in an attempt to clarify some of the nuances, specifically around Session Policies and Resource Policies. Like any trusted piece of software, IAM is deterministic in the sense that it will always behave exactly as it should. It’s complicated because of all the inputs and surrounding context that could impact the decision making process.
Knowing the decision flow is critical to understanding how IAM works, but it hardly paints the whole picture. With such a multi-dimensional domain, though, can you even paint the whole picture? This is the fundamental challenge that makes IAM hard to learn. Our mental models simply aren’t aligned to the space, no matter how much studying one does.
A way to approach something so multi-dimensional is to continually adjust your perspective. The Policy Evaluation Logic as presented is the perspective of a single request. But if you want to know why a user has permissions to do one thing but not another, or why a resource can be accessed from one role but not another, you have to change your perspective. A sentence I like to use to orient myself is, “this principal has permissions for these actions on these resources because of these policies.” This perspective has its own set of inputs and context that impact the answer, of course, but it can be reasoned with just like that of a single request.
As you embark on an IAM learning path, I find it helpful to constantly adjust your perspective. You start to pick up the nuances along the way. There’s plenty of tools to test and validate every deterministic element, but you’ll always be the only one responsible for your own mental model, so the more you truly comprehend, the better.
IAM checking these out...
AWS Identity and Access Management now makes it more efficient to troubleshoot access denied errors in AWS
Context is key! Anyone who has ever stared at an Access Denied message in disbelief will appreciate more context. Here, AWS will add the policy type to the error message, allowing you to better pinpoint the cause. Only a select number of resources are supported in this update, but more to follow.
A solid piece of research that found that the Access Key IDs issued by AWS aren’t always unique – as it turns out, they are recycled. While the credential combo includes a Secret Key and a Session Token that are thankfully not also recycled the same way, the issue here is that scanning services would be confused by a conflict, potentially throwing off your analytics. Interesting findings, something to be mindful of.
After spending the past few years in the Privileged Access Management space, I’m always keen on temporary access. As my colleague Robert once said (I’m paraphrasing), “with static credentials, time is a bug. With ephemeral credentials, time is a feature. This article walks through a JIT access architecture on AWS. In typical AWS fashion, however, their definition of "minimal” is questionable (as-in, you probably don’t need all of those services).
IAM reading from the community...
Frequent contributor, Kyler Middleton, is back with another technical article, walking through a method for building IAM policies inline Terraform code. Super cool! If done carefully, this method could save a lot of trial & error and back & forth to right size.
I encourage everyone to follow Tobias Schmidt on Twitter – he does a recurring thread series walking through select cloud topics in a clear and concise way. He was grateful enough to bring over his recent IAM series into article form for the site. A solid read for those looking to brush up on the fundamentals.
IAM listening to this...
I obviously show a lot of love for the Impulse Records aesthetic, but at the end of the day, you really can’t top Blue Note Records. The photography & typography and colors & shapes are unmatched. Label co-founder Francis Wolff was behind many of the photographs, and Reid Miles the labels – an incredible pair. I could keep this newsletter theme going for years just pulling from my modest (but always growing) Blue Note collection. An artist who had a long career on Blue Note is trumpet player Donald Byrd. For nearly 3 decades, Donald Byrd released on Blue Note, constantly evolving his sound and style. A seminal piece of work is this 1964 release, A New Perspective. Recording alongside a church chorus, the sounds here are spiritual and groovy. And that cover… it doesn’t get much cooler than that.
Join the beta waitlist
Enter your email to get notified when our product becomes available to try.
Sign Up for the community
Create your member profile to get involved with our content, programs, and events.