1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
Good question!
In this case, your File System policy is a resource policy and the instance policy would be considered an IAM Identity Policy. For resources in the same account, these are treated as a logical or. It is also important to remember policy evaluation logic.
First, Explicit Denies are evaluated, then Explicit Allows, then Implicit Denies.
Explicit Denies --> Explicit Allows --> Implicit Denies
In this case, your EFS policy is an Allow for read, so if the instance policy has an explicit allow for writing, it will not be denied. If you're looking to secure the EFS volume further, you would need to use an explicit deny on the policy itself (and you can use this in conjunction with allows).
répondu il y a 2 ans
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- Réponse acceptéedemandé il y a un an
- demandé il y a 4 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an