Summary

This chapter took you through the various types of access policies, their structure, and how to effectively and securely manage access to your AWS resources. You need to be fully aware of the different policies that exist within AWS and how they work together to either grant or deny access to resources based on different actions.  

Regardless of which policy you are using, one key point is to always implement security based on the Principle of Least Privilege (PoLP). This essentially means that you should only ever grant permissions for an identity that they actually need, and no more. For example, let's say a user needed access to be able to stop and terminate instances using ec2:stopinstances and ec2:terminateinstances. Then, you wouldn’t issue a policy that allowed access to all ec2 APIs—for example, ec2:*. If this happens, you are increasing the potential of security threats, especially from an internal perspective. For the certification exam, ensure you can read access policies with ease to determine what the policy allows or denies access to.

In the next chapter, we are going to look at access control through federation, allowing a single sign-on approach, covering both enterprise and social identity federation. We will also look at Amazon Cognito and see how it is used for access control across the mobile environment.