In my previous article AWS Account And Service Layer, we discussed IAM Essentials. Now, in this article, we will be discussing IAM policies. We will also try to understand how to interpret and write IAM policies. IAM policies are an essential component of assigning permissions to AWS IAM users, Groups, and Roles.
IAM Policies
A policy is a document that formally states one or more permissions. Now, the permissions are required to interact with AWS resources through things like AWS Console, AWS SDK, and AWS CLI.
There are two types of permissions that we can apply, i.e., "explicit deny" and "explicit allow" in our policies.
Explicit deny will always override explicit allow.
Let’s see an example of IAM policies.
The above policy says you should allow all actions to all resources.
The above policy says you should not allow any action to be taken on any resource.
Now, if you apply both the policies to a user, it will have no access to AWS resources. It is because explicit deny always overrides explicit allow. Now, let’s understand this in more depth.
Suppose you have an employee who takes leave or has left the job, and after a few months, he/she joins you again. Now, you do not have to provide him/her access which you have already provided. In this case, you assign that user “deny all” policy which does not allow him/her to access anything irrespective of what all access he/she already has.
The best thing about IAM policies is that they get applied immediately.
Now, the next thing which we will be discussing is IAM provides pre-built policy templates to assign to the user or groups.
The managed policies of AWS are,
- Administrator Access - Full access to ALL AWS resources
- Power user Access - Admin access except it does not allow user/group management
- Read-only Access - Only view AWS resources like a user can view what is inside an S3 bucket.
Now, let’s understand each of these in detail.
Administrator Access
In this, the user will get full access to all AWS resources. Below is an example of the same.
When you open this in the console, then it gives you details as shown in the below image.
Now, let’s look at JSON.
AWS policies are made up of statements, however, one policy can have one or more statements.
Now, inside the statements, you can have
Now, in the above case, the effect of the policy is Allow and its action is * which means any action.
Resource is also * which means any resource.
Essentially, this policy allows any action to be taken on any resource. Now, let’s look at AmazonS3ReadOnlyAccess.
Now, if you will look into policy summary, you will find that it allows you to use only one of 166 resources; i.e., S3 and access level is limited to List.
Now, let’s look at the JSON,
Above JSON is the same as we already discussed, except Action which states S3:Get and S3:List; i.e., with the help of this, a user can list the object or list buckets.
Now, we can create our own custom policies.
Inside the "Create Policy" window (shown below) which is also called Policy Generator, you can use visual editor or JSON editor for creating the policies.
Now, for JSON editor, you need to have a complete understanding of syntax which are required for generating the IAM policies.
However, you can use the visual editor also for the same where you do not have to worry about syntax. Instead of that, you need to complete the flow.
Now, let's take an example. We want to create a policy on S3 which allows access to all buckets but only gets items in the bucket.
Now, click on service link which will help you to chose the service from the list, as shown below.
Now, type S3 in the search box, as shown below.
Now, select S3. After this, select Action to allow; i.e., Read as shown in the below image.
After this, you can use any of the APIs which are listed, as shown below.
After this, you need to specify Resource.
In this section, you will get a warning specifying which type of resource you need to select, i.e., the bucket resource type or object resource type.
Now, we have created a policy which allows a list of API access to S3 bucket resources and object resource.
Now, we can set the same condition to the permission which is optional - if you want to apply MFA which is needed while using these actions or only allow access to specified actions only when a request comes from specified IP.
Now, click on the "Review Policy" button which will take you to the "Review Policy" section, as shown below.
In this section, you can specify the policy name and description. After this, click on the "Create Policy" button. Now, if you want to add permission to another service you need to perform the same process again.
Now, if you will go to the policy list screen and search for your policy, you should be able to find it.
Now, if you look at the JSON, you will get an output of the process of the policy generated in JSON.
- More than one policies can be attached to a user or a group at the same time.
- Policies cannot be attached to AWS resources like EC2 instance.
Now, in the next article, we will be discussing about IAM users and Groups.