IAM Policies in AWS

Back to: AWS Tutorials For Beginners and Professionals

IAM Policies in AWS:

In this article, I am going to discuss IAM Policies in AWS. Please read our previous article where we discussed IAM Users and Groups in AWS.

IAM Policies Inheritance in AWS

Let’s imagine we have a group of developers, Alice, Bob, and Charles, and we, attach a policy at the group level. In that case, the policy will get applied to every single member of the group both Alice, Bob, and Charles will all get access and inherit this policy. If you have a second group with operations with a different policy, David and Edward will have a different policy than the group of developers. If Fred is a user, it has the possibility of not belonging to a group. we have the possibility to create what’s called an inline policy which has a policy that’s only attached to a user. So that user could or could not belong to a group you can have inline policies for whatever user you want. And finally, if Charles and David both belong to the audit team and you attach a policy to the audit team as well, Charles and David will also inherit that policy from the audit team. In this case, Charles has a policy from developers and a policy from the audit team. David has a policy from the audit team and a policy from the operations team. That should make a lot of sense when we get into the hands-on.

IAM Policies Structure in AWS:

In terms of the policy structure, you just need to know at a high level how it works, as well as how it is named. This is something you will see quite a lot in AWS, get familiar with this structure this is adjacent documents. And so, an IAM policy Structure consists of a version number, so usually, it’s 2012-10-17, this is the policy language version. And ID which is how to identify that policy is optional. Then more statements and statements can be one or multiple ones, and a statement has some very important parts. The Sid is a statement ID, which is an identifier for the statement, which is optional as well on the right-hand side is the number one. The effect of the policy itself, so it is whether the statement allows or denies access to certain API, in the right-hand side, this says allow, can see deny as well. The principle consists of which accounts, users, or roles, to which this policy will be applied to.

In this example, it is applied to the root accounts of your AWS accounts. Action is the list of API calls that will be either denied or allowed based on the effect. The resource is a list of resources, to which the actions will be applied to. In this example, it is a bucket, but it could be many different things.

Finally, in, not represented here but there is a condition to which when this statement should be applied or not, and this is not represented here because it is optional.

In the next article, I am going to discuss IAM Policies Hands-on in AWS. Here, in this article, I try to explain IAM Policies in AWS and I hope you enjoy this IAM Policies in AWS article.