1
Q
ARNs
A
Amazon Resource Names
- uniquely identify resources
Starts with:
arn: partition:service:region:account_id:
ex: arn:aws:rds:us-east1:123456789012:
Can ends with:
- resource
- resource_type/resource
- resource_type/resource/qualifier
- resource_type:resource
- resource_type:resource:qualifier
2
Q
What does :: mean in an ARN?
A
region omitted
- only works when the service doesn’t require a region, like IAM
3
Q
What does * mean within an ARN?
A
wildcard
- for example, to denote all instances within a region
4
Q
IAM policies
A
- ** If not explicitly allowed, it is implicitly denied
- JSON doc that defines permissions
- identity policies
- resource policies
- have no effect until applied to a group or user account
- a policy doc is a list of statements that match an AWS API request
5
Q
Permission Boundaries
A
- used to delegate administration to other users
- prevent privilege escalation or unnecessarily broad permissions
6
Q
Permission Boundaries Use Cases
A
- developers creating roles for lambda functions
- application owners creating roles for EC2 instances
- admins creating ad-hoc users
ACSA - AraBob
flashcards
Decks in class (22)
# Cards
