1. What is AWS IAM?
AWS Identity and Access Management (IAM) is a service that allows you to control access to your AWS services and resources securely. It enables you to create and manage user accounts, assign individual permissions, and enforce strict policies to protect your data.
AWS IAM policies are documents that play a critical role in defining permissions and access controls within your AWS environment. They help you manage and secure your AWS resources by allowing or denying specific actions for different users or groups. With the right IAM policy in place, you can ensure that only authorized individuals have access to sensitive data and critical resources.
There are a few different policy types you can use in AWS:
Identity-based policies: Grant permissions to the relevant identities (e.g., users, groups, or roles).
Resource-based policies: Decide which specific actions can be performed on certain resources and define the conditions that the action applies to.
Permissions boundaries: define the maximum permissions that an identity-based policy can grant to an entity.
Organizations SCPs: define the maximum permissions for account members of an organization using an AWS Organizations service control policy (SCP).
Access control lists (ACLs): Control which principals in other accounts can access the relevant resource that the ACL is attached to.
Session policies: Limit the permissions that the role or user’s identity-based policies grant to the session.
2. Elements of the policy document
Version: (optional) Specifies the version of the policy language. The available version are 2012-10-17 and 2008-12-17
Statement: Used as a container of the following policy elements. You can include more than one statement in a policy.
Sid: (optional) Statement ID is used to identify the purpose of the policy statement and can be used if you have multiple statements.
Effect: (mandatory) Use Allow or Deny to indicate whether the policy allows or denies access to the resource.
Principal: (required only in some circumstances) an entity that is allowed or denied access.
Action (mandatory) includes a list of actions that the policy allows or denies.
Resource: (required only in some circumstances) specify a list of resources to which the action applies.
Condition: (optional) specify the circumstances under which the policy grants or denies permission.
Sample IAM Policy
{
"Version": "2012-10-17", #1
"Statement": [ #2
{
"Effect": "Allow", #2.1
"Action": [ #2.2
"s3:ListBucket", #2.2.1
"s3:GetObject" #2.2.2
],
"Resource": [ #2.3
"arn:aws:s3:::example-bucket", #2.3.1
"arn:aws:s3:::example-bucket/*" #2.3.2
]
},
{
"Effect": "Deny", #2.4
"Action": "s3:DeleteObject", #2.5
"Resource": "arn:aws:s3:::example-bucket/*" #2.6
}
]
}
“Version”: “2012-10-17”: This specifies the version of the policy language. This is currently the latest and recommended.
“Statement”: This begins an array of policy statements. Each statement can allow or deny specific actions.
“Effect": Allow: This indicates that the actions specified in this statement are allowed. The two possible values are “allow” and “deny.”.
“Action”: This begins an array of actions that are allowed by these statements
"s3:ListBucket": This action allows the listing of the specified S3 bucket.
"s3:GetObject": This action allows retrieving objects from the specified S3 bucket.
"Resource": This begins an array of resources to which the actions apply.
"arn:aws:s3:::example-bucket": This specifies the ARN (Amazon Resource Name) of the S3 bucket itself. It allows the listed actions to be performed on the bucket.
"arn:aws:s3:::example-bucket/**": This specifies all objects within the specified bucket. The asterisk (*) is a wildcard that represents all items in that bucket.
These following three statements are the same with the above usage but different permissions:
{
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::example-bucket/*"
}
The summary of the above policy file is:
This policy allows users to list and get objects from the
example-bucketS3 bucket.It explicitly denies the ability to delete objects from the same bucket, providing a safeguard against accidental or unauthorized deletions.