If you have worked in AWS CLOUD, you must be knowing about IAM (Identity and Access Management) and the policy. IAM policies are also called Identity Based policy . This differs from Resource based policies as applied in S3.
There are many use-case when you apply policies and stuck in understanding of the order, the policy may be executing.
Examples :
- You want to give all permission except Billing and IAM.
- You want to allow only EC2 permissions for a IAM user and deny all
- What will be the allocation if you don’t give any permission
In a bigger picture, AWS IAM policy works in order of,
Implicitly Deny ALL >> Explicitly Allow >> Explicitly Deny
Detail logic of the execution flow as per AWS resource :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
Two Most handful resource in policy creation are
- JSON policy Generator UI : https://awspolicygen.s3.amazonaws.com/policygen.html
- Simulate your policy against iam users with different action without attaching them
https://awspolicygen.s3.amazonaws.com/policygen.html
Example 1: Policy to ” Allow ALL except Billing and IAM permission “
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
},
{
"Effect":"Deny",
"Action":"aws-portal:*",
"Resource":"*"
},
{
"Effect":"Deny",
"Action":"iam:*",
"Resource":"*"
}
]
}
The most common usage in aws beginning is to assign a policy to system engineer to use AWS service but should not able to access billing and Identity Management .
for more : https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html