问题
After asking this question I did some digging and found a couple of policies with:
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
in them.
Reading through the policies evaluation logic page again the second step stands out to me:
- Evaluate all applicable policies.
The first part of my question is: How does AWS determine what policies are applicable? To my understanding this is done by looking at the Principle and/or Resource keys.
BUT: in IAM these policies have attached entities which are to my understanding the same as Principles. Which gets to the second part of the question:
What does an attached entity do to a policy?
As far as i understand all this does is tell AWS that the policy is applicable to a role, but I do not understand how this works with a "Resource":"*" in the policy.
so:
- How does AWS determine what policies are applicable?
- What does an attached entity do to a policy?
- Makes the
"Resource":"*"the policy always applicable?
回答1:
1> While making a request (either using access keys or Console), you are passing the username/role name. So let's say you are accessing the API using an IAM user. So, AWS will check the policy attached to the user, policy attached to the IAM Group (if any). Also, it also checks if there are any resource based policy e.g. S3 bucket policy, SNS topic policy which is determined by the resource in the request.
2> A policy does nothing if you don't attach it to an IAM entity or any resources (for resource based policy). The attached entity (I think you are referring to the IAM entities) are used to decide the principal and in turns it tells where to check for the permission (whether it is an IAM user, then check IAM group membership etc.).
3> Resource:* means that this policy gives permission to any AWS resources. So the policy you have mentioned will translate: Allow ("Effect":"Allow") every action ("Action":"") on every resources ("Resource":"").
Hope this helps..
来源:https://stackoverflow.com/questions/45690048/aws-iam-applicable-policies-and-attached-entities