1
00:00:00,530 --> 00:00:04,170
‫Okay, so now let's discuss, IAM policies in depth.

2
00:00:04,170 --> 00:00:06,850
‫So let's imagine we have a group of developers,

3
00:00:06,850 --> 00:00:09,020
‫Alice, Bob and Charles, and we,

4
00:00:09,020 --> 00:00:12,610
‫attach a policy at the group level.

5
00:00:12,610 --> 00:00:14,410
‫In that case, the policy will get applied

6
00:00:14,410 --> 00:00:16,270
‫to every single member of the group

7
00:00:16,270 --> 00:00:18,920
‫so both Alice, Bob, and Charles

8
00:00:18,920 --> 00:00:22,693
‫they will all get access and inherit this policy.

9
00:00:23,540 --> 00:00:25,360
‫Now, if you have a second group with operations

10
00:00:25,360 --> 00:00:26,660
‫with a different policy,

11
00:00:26,660 --> 00:00:28,440
‫David and Edward will have a different policy

12
00:00:28,440 --> 00:00:30,370
‫than the group of developers.

13
00:00:30,370 --> 00:00:32,740
‫If Fred is a user,

14
00:00:32,740 --> 00:00:35,210
‫it has the possibility not to belong to a group.

15
00:00:35,210 --> 00:00:36,880
‫And we have the possibility to create what's called

16
00:00:36,880 --> 00:00:38,820
‫an inline policy which has a policy

17
00:00:38,820 --> 00:00:40,960
‫that's only attached to a user.

18
00:00:40,960 --> 00:00:42,790
‫So that user could or could not belong to a group

19
00:00:42,790 --> 00:00:46,150
‫you can have inline policies for whatever user you want.

20
00:00:46,150 --> 00:00:48,810
‫And finally, if Charles and David both belong

21
00:00:48,810 --> 00:00:51,870
‫to the audit team and you attach a policy to the audit team

22
00:00:51,870 --> 00:00:54,600
‫as well, Charles and David will also inherit

23
00:00:54,600 --> 00:00:56,010
‫that policy from the audit team.

24
00:00:56,010 --> 00:00:58,850
‫So in this case, Charles has a policy from developers

25
00:00:58,850 --> 00:01:00,510
‫and a policy from audit team.

26
00:01:00,510 --> 00:01:02,230
‫And David has a policy from audit team

27
00:01:02,230 --> 00:01:04,630
‫and a policy from the operations team.

28
00:01:04,630 --> 00:01:05,700
‫That should make a lot of sense

29
00:01:05,700 --> 00:01:07,610
‫when we get into the hands-on.

30
00:01:07,610 --> 00:01:09,470
‫Now, in terms of the policy structure,

31
00:01:09,470 --> 00:01:11,320
‫you just need to know at a high level how it works,

32
00:01:11,320 --> 00:01:12,670
‫as well as how it is named.

33
00:01:12,670 --> 00:01:15,500
‫So this is something you will see quite a lot in AWS,

34
00:01:15,500 --> 00:01:17,770
‫so get familiar with this structure

35
00:01:17,770 --> 00:01:19,390
‫this is adjacent documents.

36
00:01:19,390 --> 00:01:21,520
‫And so an IAM policy structure, consists of a

37
00:01:21,520 --> 00:01:24,880
‫version number, so usually it's 2012-10-17,

38
00:01:24,880 --> 00:01:27,290
‫this is the policy language version.

39
00:01:27,290 --> 00:01:30,970
‫And ID which is how to identify that policy,

40
00:01:30,970 --> 00:01:31,880
‫this is optional.

41
00:01:31,880 --> 00:01:33,480
‫And then more statements,

42
00:01:33,480 --> 00:01:36,200
‫and statements can be one or multiple ones,

43
00:01:36,200 --> 00:01:37,980
‫and a statement has some very important parts.

44
00:01:37,980 --> 00:01:41,570
‫So the Sid is a statement ID, which is an identifier

45
00:01:41,570 --> 00:01:43,190
‫for the statement, which is optional as well,

46
00:01:43,190 --> 00:01:45,780
‫so on the right hand side is the number one.

47
00:01:45,780 --> 00:01:50,150
‫The effect of the policy itself, so it is whether or not

48
00:01:50,150 --> 00:01:53,820
‫the statement allows or denies access to certain API,

49
00:01:53,820 --> 00:01:56,220
‫so in the right hand side, this says allow,

50
00:01:56,220 --> 00:01:57,950
‫but you can see deny as well.

51
00:01:57,950 --> 00:02:02,170
‫The principle consists of which accounts, user or role

52
00:02:02,170 --> 00:02:05,450
‫which, to which this policy will be applied to.

53
00:02:05,450 --> 00:02:08,290
‫So in this example, it's applied to the root accounts

54
00:02:08,290 --> 00:02:10,610
‫of your AWS accounts.

55
00:02:10,610 --> 00:02:13,240
‫Action is the list of API calls that will be

56
00:02:13,240 --> 00:02:16,460
‫either denied or allowed based on the effect.

57
00:02:16,460 --> 00:02:19,570
‫And the resource is a list of resources,

58
00:02:19,570 --> 00:02:22,140
‫to which the actions will be applied to.

59
00:02:22,140 --> 00:02:24,020
‫So in this example, it is a bucket,

60
00:02:24,020 --> 00:02:25,780
‫but it could be many different things.

61
00:02:25,780 --> 00:02:27,790
‫And finally in, not represented here

62
00:02:27,790 --> 00:02:29,850
‫but there's a condition to which when

63
00:02:29,850 --> 00:02:32,590
‫this statement should be applied or not,

64
00:02:32,590 --> 00:02:35,200
‫and this is not representative here because it is optional.

65
00:02:35,200 --> 00:02:36,840
‫So going into the exam, you need to make sure

66
00:02:36,840 --> 00:02:39,440
‫that you really understand the effect, the principle,

67
00:02:39,440 --> 00:02:41,210
‫the action and resource, but don't worry,

68
00:02:41,210 --> 00:02:43,590
‫you will see those along the way in the course

69
00:02:43,590 --> 00:02:45,460
‫so you should be confident with them

70
00:02:45,460 --> 00:02:46,520
‫by the end of the course.

71
00:02:46,520 --> 00:02:48,100
‫That's it for this lecture, I hope you liked it.

72
00:02:48,100 --> 00:02:50,050
‫And I will see you in the next lecture.