This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.
Want more? Try a Lab Playground or do a Lab Challenge!
- Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
- Understand how to configure and monitor AWS WAF
- Learn about AWS Firewall Manager and its components
- Learn how to configure AWS Shield
- Learn the fundamentals of AWS Cognito
Understanding who has access to a KMS key can be a little confusing as there are three potential ways of gaining access to and using a KMS key through the key policy, with IAM policies, and also Grants.
Determining the correct level of access means you need to understand how these access methods all work in conjunction with one another. So let's look at a simple example to ensure we understand some key points. In this scenario, we have three KMS keys, and four users.
Here you can see the KMS keys, users and scenario statements that are applicable to this example.
So we have three KMS Keys: KeyA, KeyB, and KeyC, and we have four Users: Alana, Danny, Carlos, and Jorge.
So the Scenario statements are:
- Key-A key policy enables the use of IAM user permissions to be used to manage access.
- Key-B key policy allows access for Danny and Carlos to perform cryptographic operations. Controlling access via IAM has not been enabled.
- Key-C key policy enables the use of IAM user permissions to be used to manage access. Access is also explicitly denied for Danny, Carlos, but full cryptographic. operations access is given to Alana and Jorge. Jorge also has access to create grants.
- Alana’s IAM policy permissions allows all KMS actions to Key-A and Key-B.
- Danny has no IAM policy permissions.
- Carlos’ IAM policy permissions allows KMS encrypt access to Key-A.
- Jorge’s IAM policy permissions allow all KMS actions to Key-B and Key-C.
So let's now look at each of these users' access to see if they can perform cryptographic operations, starting with Alana.
Alana’s access to Key-A is successful as her IAM policy permissions allows all KMS actions against Key-A and Key-A allows for IAM policies to be used to manage access. Her access to Key-B is denied as the key policy for this Key does not allow for IAM policies to be used. Alana’s access to Key-C is successful as the key policy allows access despite her having no IAM policy related permissions, access is given purely through the key policy.
Now let's take a look at Danny. His access to Key-A is denied as there are no explicit entries in the key policy for Danny’s access and he has no IAM policy permissions associated. His access to Key-B is successful as the key policy allows Danny access despite him having no IAM policy permissions. Danny’s access to Key-C is denied due to explicit deny actions within the key policy. An explicit ‘deny’ will always overrule any other allow.
Now let's look at Carlos’ access. For Key-A, he has ‘encrypt’ access only which is given through his IAM policy permissions, and IAM policy permissions are allowed to be used to manage access. For Key-B, access is also successful as the key policy allows him access. His IAM policy permissions are irrelevant as the key policy does not allow for IAM policies to be used to manage access. And his access to Key-C is denied due to the explicit deny actions within the key policy and an explicit deny will overrule any other allow.
And finally Jorge’s access. He has no access to Key-A as neither the key policy or his IAM policy permissions provides access. He has no access to Key-B as the key policy for this Key does not allow for IAM policies to be used. So despite access being granted at the IAM Policy level for Jorge, the Key policy does not allow for IAM policies to be used and so this is disregarded. Access to Key C is allowed for KMS cryptographic operations in addition to the ability to create grants.
Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.