Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional Federated User – policy change

  • Federated User – policy change

  • Haridev Ngangbam

    Member
    August 3, 2021 at 9:34 pm

    Question in the picture. What if the access is elevated by the change in the assumed role? Can we detect this in AWS Config rule?

  • Carlo-TutorialsDojo

    Member
    August 4, 2021 at 6:12 am

    Hello Haridev,

    Even if the IAM policy attached to the role is elevated to S3 full access if the S3 bucket policy is properly configured, restricting who and which methods are only allowed, then the federated role won’t still be able to perform what he wants on that bucket. It is because resource-based policies are evaluated first before Identity-based policies.

    Regards,

    Carlo @ Tutorials Dojo

    • Haridev Ngangbam

      Member
      August 4, 2021 at 6:02 pm

      Hi Carlo,

      Of course I understand that,

      but how do you come to the conclusion that S3 bucket policy is more restrictive (properly configured)?

      Apparently & unfortunately the question bank has lot of questions where you had to assume !

      • Carlo-TutorialsDojo

        Member
        August 5, 2021 at 5:24 am

        Thanks for the reply, Haridev.

        The questions that we create are patterned after the current exam format and the feedback of our users. It is designed this way to give you a good impression of the actual AWS exam. AWS likes to fill in details that add ambiguity to the question and this is something we are trying to replicate.

        My last reply was kind of speculative because you’ve asked a “what if” scenario in the first place.

        On a more important note, the main objective of this question is about providing the fastest way of detecting configuration changes. And using the AWS Config configuration changes does this faster than a scheduled Lambda function.

        Let me know what you think.

        Regards,

        Carlo @ Tutorials Dojo

        • Haridev Ngangbam

          Member
          August 5, 2021 at 5:31 pm

          Hi Carlo

          However you cannot overlook the fact that there’s technical gap in the chosen answer. And I think question says “policy changes” and not “configuration change”, if you will

  • Carlo-TutorialsDojo

    Member
    August 6, 2021 at 6:29 am

    Hello Haridev,

    In this question, “policy changes” and “configuration changes” can be used interchangeably. “Configuration changes” is how AWS Config calls it to track changes in AWS resources (IAM policy, S3 bucket).

    Regards,

    Carlo @ Tutorials Dojo

    • Haridev Ngangbam

      Member
      August 6, 2021 at 5:45 pm

      How about this part?

      how do you come to the conclusion that S3 bucket policy is more restrictive (properly configured)?

      • Carlo-TutorialsDojo

        Member
        August 7, 2021 at 3:06 am

        Hello Haridev,

        As I previously stated, I was just responding to a hypothetical question. It’s only natural that you’d receive a speculative response. The scenario did not specify which resources will be tracked. It simply stated “to detect configuration changes,” so there is a gray area there. You can both track changes in IAM roles and S3 bucket’s configuration but since they aren’t given in the provided options you have to carefully evaluate the options and pick the answer that makes the most sense.

        • Haridev Ngangbam

          Member
          August 7, 2021 at 5:12 pm

          ok, than I would see this as question with missing correct answer

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now