View profile

IAM Pulse Check #11 - A New Perspective

IAM Pulse Check
IAM Pulse Check #11 - A New Perspective
By Ivan Dwyer • Issue #11 • View online
Hey folks,
In the weeks leading up to AWS re:Invent, the content teams often sprinkle a few notable tidbits here and there, saving the big stuff for the main event. Sometimes it’s a teaser for an upcoming product release, other times it’s getting in front of something that they know will be in focus. Either way, it’s fun (but futile) to speculate what they’ll announce.
For IAM, one element of note is an update to the commonly referenced Policy Evaluation Logic diagram – seemingly in an attempt to clarify some of the nuances, specifically around Session Policies and Resource Policies. Like any trusted piece of software, IAM is deterministic in the sense that it will always behave exactly as it should. It’s complicated because of all the inputs and surrounding context that could impact the decision making process.
Knowing the decision flow is critical to understanding how IAM works, but it hardly paints the whole picture. With such a multi-dimensional domain, though, can you even paint the whole picture? This is the fundamental challenge that makes IAM hard to learn. Our mental models simply aren’t aligned to the space, no matter how much studying one does.
A way to approach something so multi-dimensional is to continually adjust your perspective. The Policy Evaluation Logic as presented is the perspective of a single request. But if you want to know why a user has permissions to do one thing but not another, or why a resource can be accessed from one role but not another, you have to change your perspective. A sentence I like to use to orient myself is, “this principal has permissions for these actions on these resources because of these policies.” This perspective has its own set of inputs and context that impact the answer, of course, but it can be reasoned with just like that of a single request.
As you embark on an IAM learning path, I find it helpful to constantly adjust your perspective. You start to pick up the nuances along the way. There’s plenty of tools to test and validate every deterministic element, but you’ll always be the only one responsible for your own mental model, so the more you truly comprehend, the better.

Updated AWS IAM Policy Evaluation Logic Diagram
Updated AWS IAM Policy Evaluation Logic Diagram
IAM checking these out...
IAM reading from the community...
Terraform Dynamic IAM Policy Construction | IAM Pulse
AWS 1x1 - Identity and Access Management | IAM Pulse
IAM listening to this...
From the depths of my personal collection
From the depths of my personal collection
Did you enjoy this issue?
Ivan Dwyer

Quick bite commentary and curation to help wrangle the complexities of cloud operations & security. Also puns and tunes.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Okta Inc. 100 1st St. San Francisco, CA 94105.