AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

IAM Policy Intersection re:invent 2017 IAM Ninja video

Hi there, this video is linked as an Exam tip from the Security section of the SA Professional course:

At about 28:44 the presenter talks about the order of policy evaluation when there are SCPs, IAM entity policies and resource policies in place. She more specifically talks about an intersection between IAM managed policies, IAM inline policies and Scoped-down policies. Initially the managed policy and inline policy are attached to user "Casey" and then she says something like let’s assume that Casey is a role and this role would now represent the Scoped-down policy. I struggle to understand how this could happen in real life ? In what scenario would we have policies attached to a user and additionally coming from a role ? Isn’t a role assumed and then these policies only count ? I am confused about this part of the video so if you could help me make sense of this this would be appreciated !



1 Answers

Hi Philipp,

If I’m understanding the video and your question correctly, she’s saying saying that the scope-down policy plus the Casey "role" (which includes the in-line and managed policies) would yield the overlap marked in green on the video.  I think the intent here was to say that we could have policies assigned to a user but also policies assigned to a role that is assigned to that user.  The union of all these policies are then what the user account has access to.

In practice, I really don’t like assigning policies to users directly…I will almost always create a role for that…even for service accounts.  But, you can absolutely assign policies to users and also roles then assign those roles to users.  The users’s access is always going to be the combination of all those policies which may or may not overlap.


Philipp von dem Bussche

Thanks Scott but I thought one cannot assign a role to a user ?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?