[AWS Architect] (20) Policies

IAM policy is a JSON document that defines permissions for users and resources. To uniquely identify AWS resources, Amazon Resource Names (ARNs) are used.

Amazon Resources Name (ARN)

  • The basic ARN format
arn:patition:service:region:account_id  +  (resource-type)/resource
  • Examples
arn:aws:ec2:us-east-1:123456789012:instance/* 
arn:aws:iam:: 123456789012:user/testuser (:: - region is not specified)
arn:aws:s3:::my_bucket/image1.jpg (::: - 2 items are not specified)

Policies

  • Policies need to be attached to identities or resources.
    • An identity policy is attached to an identity, such as users, groups, or roles.
    • A resource policy is attached to resources, such as S3 buckets or SQS queues.
  • A policy document is a list of “statements” to specify permissions.
  • Each statement matches a request to AWS based on:
    • Action, which is an API call or an operation
    • Resource, which the request targets
    • Effect, which is “Allow” or “Deny
    • Principal, which receives an action – users or groups (cannot be used in the identity policy)
  • Evaluation
    • All policies are merged first (no order).
    • A request is implicitly (default) denied.
    • If a request is explicitly denied, it overrides anything else.
    • If a request is explicitly allowed, it is allowed unless denied by an explicit deny.
{
  "Id": "Policy1603580917837",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1603580760453",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket/*"
    },
    {
      "Sid": "Stmt1603580916845",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::mybucket/*"
    }
  ]
}
  • AWS-managed polices have low overhead but lacks flexibility (Administrator access, read-only access)
  • Customer-managed policies are flexible but require on-going administration.
  • IAM provides pre-built policy templates:
    • Administrator users have full access to all AWS resources.
    • Power users can access all AWS services except the management of users and groups in IAM.
    • Read-only users can only view AWS resources.

Permissions Boundary

  • AWS supports permissions boundaries for IAM entities (users or roles, not for groups). The boundary limits the maximum permissions for a user or a role.
  • Permissions boundaries and Identity policies – The effective permissions are the intersection of both policy types.
  • Permissions boundaries and resource policies – An implicit deny in a permissions boundary does not limit the permissions granted by a resource-based policy.
  • Permissions boundaries, identity policies, and resource policies – The effective permissions are everything that is allowed by the resource-based policy and the intersection of the permissions boundary and the identity-based policy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s