Thank you A Cloud Guru and Udemy. As others said, reading white papers a must. It was tough and as others said, a lot of encryption (KMS, CloudTrail/Logging and lots of policies). Policies were tough.
If a resource gives a user access do you need access on the user policy too? I assumed not but didn’t feel right.
As someone just posted, there are marketplace products which don’t require pentesting approval.
A few KMS questions had me scratching my head a while. Really glad we had 3 hours. Only had 20 min to spare. The KMS best practices is worth a read or two.
Best advice – reach each question carefully as well as the answers. Some are tricky but fair (if that makes sense).
1 Answers
Clarification on resource/user policy. One rule for evaluating permission is if there is explicit allow for an action and no deny then the action is allowed. In your case I think resource policy will be attached through a role and hence if the role has action allowed and user assumes the role by any means then the user can perform the action.
You can only assume a role to access another account. So if same account and kms gives you explicit access is that enough? I assume yes.
You can assume role within the same account. if you have explicit allow from KMS and there is no deny in any policy assinged to you then you can access the resource or perform the action.
Thanks Faas for the feedback. Penetration testing of any form will need approval. Its clearly writen on AWS penetration testing webesite.
Preapproved marketplace products: "Based upon this, customers may scan at their convenience, as EC2 Scanning using Qualys has been pre-authorized by Amazon, negating the need to obtain explicit permission from Amazon before proceeding with scanning as is typically required."