IAM Policies

Learn how identity-based and resource-based policies are used to define user authorization.

We'll cover the following

IAM takes care of authentication and authorization. An IAM policy is a JSON document attached to the AWS resource that is used by the logged-in entity to authenticate itself or to the AWS resource to which secure access is required. This policy defines the scope of permission that the principal entity will have.

Press + to interact

Types of IAM policies

Based on their usage, IAM has five types of policies. These types are as follows:

  • Identity-based policies: Define permissions of IAM identities. These are attached with IAM identities.

  • Resource-based policies: Define the access that an entity has to the AWS resources. These are attached to the IAM resources to which an entity requires access.

  • Permissions boundaries: Specify the highest level of permissions that an identity-based policy can grant to an entity.

  • Session policies: Specify the highest level of permissions that an identity-based policy can grant to an entity when a temporary session is created for an entity.

  • Organizations Service Control Policies (SCPs): Specify the highest level of permissions that an identity-based policy can grant to an entity at the organizational level.

  • Access control lists (ACLs): Define the level of access an external AWS account can have to the AWS resources. Unlike all other types of IAM policies, ACLs are not in JSON format.

Press + to interact
Types of IAM policies
Types of IAM policies

We'll discuss identity-based policies and resource-based policies in detail in this lesson.

Identity-based policies

Identity-based policies are the IAM policies we attach to the IAM resources used to provide the required access to the principal entities.

Press + to interact
IAM resources that use identity-based policy
IAM resources that use identity-based policy

Types of identity-based policies

These policies can be categorized into two types:

  • Managed policies: These are discrete identity-based policies that exist independently of any other IAM resource. Managed policies can be attached to multiple IAM resources at the same time. Managed policies are further categorized into two types:

    • AWS-managed policies: These are pre-built policies that are created and managed by AWS. These policies are ready to use but are less flexible as they cannot be modified.

    • Customer-managed policies: These are the identity-based policies that we create and manage in our AWS account. As they are custom-built policies, we can draft and modify them according to our own specific requirements.

  • Inline policies: These are custom policies drafted during the creation of an IAM resource. Inline policies are attached with the IAM resource they are created with and get deleted when that resource is deleted.

Press + to interact
Types of identity-based IAM policies
Types of identity-based IAM policies

Components of an identity-based policy

The JSON document of an identity-based policy can have the following elements:

  • Version (optional): Indicates the IAM policy language version being used.

  • Statement (required): Contains the core elements of the policy. It is an array that contains the groups of these core elements in the form of array elements. It can contain the following elements:

    • Sid (optional): Used to write the description of an individual statement array element. Its value should be a string. It must be unique within the policy.

    • Action (required): Contains the list of actions to be allowed or denied. This list can contain any of the AWS-defined actions that specify a specific action related to an IAM service.

    • NotAction (required): Contains the list of actions not to be allowed or denied. It is the inverse of the allowed action. A single statement element can contain either Action or NotAction and requires at least one of them to be present.

    • Effect (required): Specifies if the Actions/NotActions are allowed or denied. Its value can either be Allow or Deny.

    • Resource (required): Contains the list of AWS resources’ ARNAmazon resource name (ARN) is a unique identifier AWS uses to identify each AWS resource.s to which the statement is providing or preventing access.

    • NotResource (required): Contains the list of AWS resources’ ARNAmazon resource name (ARN) is a unique identifier AWS uses to identify each AWS resource.s to which the statement is not providing or preventing access. A single statement can contain either Resource or NotResource and requires at least one of them to be present.

    • Condition (optional): Contains conditions that must be met for the statement to take effect.

An identity-based policy would look as follows:

Press + to interact
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket"
            ],
            "Resource": [
                "arn:aws:s3:::demo-bucket"
            ]
        }
    ]
}

This policy attaches to the authenticating IAM resource. It allows the principal entity to create an S3 bucket by the name demo-bucket.This sample policy only contains a single statement and, within that, the required elements. It can contain multiple statements depending on the kind of authorization required by the user.

Resource-based policies

Resource-based policies are IAM policies that we can attach with AWS resources to specify the kind of access principal entities can have to them. These are inline policies and are to be drafted and managed by the AWS users.

Press + to interact
AWS resources that use resource-based policy
AWS resources that use resource-based policy

Interesting insight: IAM role is an IAM resource with which both identity-based and resource-based policy can be attached.

Components of a resource-based policy

The components of a resource-based policy are the same as those of identity-based policies. However, there are a few additional elements, which are listed below:

  • Id (optional): Specifies a unique identifier for the policy. Its value must be a string.

  • Principal (required): Specifies the principal entity. The format of its value depends on the kind of principal that we want to specify. These are the kinds of entities we can specify as a principal in a resource-based policy:

    • AWS accounts: To specify an AWS account as the principal, we should set the principal’s value to that account’s ID. This account can be the same account to which the resource belongs or an external account.

    • IAM identities: To specify an IAM identity as the principal, we should set the principal’s value to the ARN of that identity. An IAM user group cannot be assigned as the principal.

    • AWS services: To specify an AWS service as the principal, we should set the principal’s value to that of the service principal of that service. A service principal is an AWS-defined identifier of a service. For example, the service principal of Lambda is lambda.amazonaws.com.

A resource-based policy would look as follows:

Press + to interact
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::demo-bucket/demo-object",
            "Principal": "*"
        }
    ]
}

This policy is attached to the AWS resource to which it grants access. It allows anyone to read demo-object stored in an S3 bucket by the name demo-bucket. This sample policy only contains a single statement and, within that, the required elements. It can contain multiple statements depending on the required authorization.

Identity-based and resource-based policies are the most commonly used IAM policies that ensure security. Understanding their structure is essential for effective access management. Comprehensively understanding IAM policies enables us to enforce the required security measures and maintain control over access to our AWS resources.

Get hands-on with 1300+ tech skills courses.