Tagged: policy

AWS IAM Policy

If you have worked in AWS CLOUD, you must be knowing about IAM (Identity and Access Management) and the policy. IAM policies are also called Identity Based policy . This differs from Resource based policies as applied in S3.

There are many use-case when you apply policies and stuck in understanding of the order, the policy may be executing.

Examples :

  • You want to give all permission except Billing and IAM.
  • You want to allow only EC2 permissions for a IAM user and deny all
  • What will be the allocation if you don’t give any permission

In a bigger picture, AWS IAM policy works in order of,


Implicitly Deny ALL >> Explicitly Allow >> Explicitly Deny

Detail logic of the execution flow as per AWS resource :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Policy Evaluation Logic

Two Most handful resource in policy creation are

Policy Simulator

Example 1: Policy to ” Allow ALL except Billing and IAM permission

{ 
   "Version":"2012-10-17",
   "Statement":[ 
      { 
         "Effect":"Allow",
         "Action":"*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"aws-portal:*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"iam:*",
         "Resource":"*"
      }
   ]
}

The most common usage in aws beginning is to assign a policy to system engineer to use AWS service but should not able to access billing and Identity Management .

for more : https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html