AWS IAM Policy Evaluation Order

If you have worked in AWS CLOUD, you must be knowing about IAM (Identity and Access Management) and the policy. IAM policies are also called Identity Based policy . This differs from Resource based policies as applied in S3.

There are many use-case when you apply policies and stuck in understanding of the order, the policy may be executing.

Examples :

You want to give all permission except Billing and IAM.
You want to allow only EC2 permissions for a IAM user and deny all
What will be the allocation if you don’t give any permission

In a bigger picture, AWS IAM policy works in order of,

Implicitly Deny ALL >> Explicitly Allow >> Explicitly Deny

Detail logic of the execution flow as per AWS resource :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Two Most handful resource in policy creation are

JSON policy Generator UI : https://awspolicygen.s3.amazonaws.com/policygen.html

Simulate your policy against iam users with different action without attaching them
https://awspolicygen.s3.amazonaws.com/policygen.html

Example 1: Policy to ” Allow ALL except Billing and IAM permission “

{ 
   "Version":"2012-10-17",
   "Statement":[ 
      { 
         "Effect":"Allow",
         "Action":"*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"aws-portal:*",
         "Resource":"*"
      },
      { 
         "Effect":"Deny",
         "Action":"iam:*",
         "Resource":"*"
      }
   ]
}

The most common usage in aws beginning is to assign a policy to system engineer to use AWS service but should not able to access billing and Identity Management .

for more : https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Tagged with: AWS • home • iam • policy

Notes By DeveloperCK

AWS IAM Policy

Leave a Reply Cancel reply