Home Membership Courses Blog
About Contact

Understanding Key Policy Evaluation Process

all aws aws kms aws security Jan 29, 2024

Introduction

This blog post aims to demystify the key policy evaluation process and explain the roles of Service Control Policies (SCP), Identity and Access Management (IAM) policies, VPC endpoint policies, Key policies, and Key grants in a simple and digestible manner.

The Basics of Policy Evaluation

When an AWS service receives a request, it evaluates various policies attached to the resource and the principal (user or role) making the request. This evaluation determines whether to allow or deny the request based on defined permissions. The evaluation process follows a specific order and considers different types of policies.

Order of evaluation

1. Service Control Policies (SCP)

SCPs are the first line of defence and are evaluated at the beginning of the policy evaluation process. If an SCP denies a request, no further evaluation takes place.

2. Identity and Access Management (IAM) Policy

The request is denied if an SCP allows an action, but an IAM policy denies it. Conversely, the process moves to the next step if both SCP and IAM policies allow it.

3. VPC Endpoint Policies

VPC Endpoint policies apply when accessing AWS services through VPC Endpoints. They're especially relevant for restricting access to services within a VPC, ensuring that traffic does not go over the public internet.

4. Key Policy

A Key policy defines who can use the key and for what actions. When a request involves encrypted data, the Key policy is evaluated to ensure the requester has the necessary permissions to use the key.

5. Key Grants

Key grants are useful for scenarios where temporary access is needed, and are evaluated after the Key policy.

Cross-Account Access

Cross-account access involves allowing principals (users or roles) in one AWS account to access resources in another. This is common in organizations with multiple AWS accounts. For cross-account access to work, the resource-based policy (e.g., S3 bucket policy, Key policy) in the account owning the resource must explicitly allow access from principals in the other account. Additionally, the principal's IAM policy in the accessing account must allow the action on the resource.

 Conclusion

Understanding how different policies interact and are evaluated in AWS can help us better manage access and security across your AWS environment. By knowing the role and evaluation order of SCPs, IAM policies, VPC endpoint policies, Key policies, and Key grants, we can design a robust and secure multi-account AWS architecture that precisely controls who can access what resources and under what conditions.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.

Recent Posts

Understanding TLS Termination with Load Balancers in AWS
all aws aws networking aws security
Apr 19, 2024
Understanding Load Balancing in AWS
all aws aws networking
Apr 18, 2024
A Beginner's Roadmap to Mastering AWS Networking
all aws aws networking roadmaps
Apr 08, 2024

Categories

All Categories all aws all azure amazon ec2 amazon s3 announcements aws aws architecture aws automation aws cloudhsm aws comparison 101 aws compute aws containers aws cost management aws developer tools aws devops aws feature 101 aws governance aws iam aws kms aws management tools aws messaging aws networking aws optimizations aws policies aws principles 101 aws recipes aws security aws serverless aws service 101 aws ssm aws storage aws tools 101 aws vpc azure networking azure security cloud computing ec2 security getting started multi-cloud roadmaps s3 security security updated
Lead Author @ Cloudericks Blogs

Heartin Kanikathottu

Principal Cloud Architect & Author

The Cloudericks blog posts are created and maintained by Heartin Kanikathottu and his team at Cloudericks with a bit of AI help. Heartin is an accomplished Cloud Architect and a prolific international author recognized globally, with one of his books being named all-time 8th best in cloud computing. Read more at heartin.github.io.

Want to askĀ doubts directly to Heartin and team?

Please become a Cloudericks member to join the KEWA group andĀ ask any questions directly to Heartin and the Cloudericks team! You can alsoĀ get access to our courses, cookbooks, quizzes, and the KEWA group!

Special Note: If you purchase any of Heartin's books related to cloud,Ā ask for a complimentary membership to KEWA group.Ā 

Explore Membership