In Focus

IAM Policies In AWS Account And Service Layer

In this article, we will be discussing IAM policies in AWS. Along with this, we will try to understand how to interpret and write IAM policies.

In my previous article AWS Account And Service Layer, we discussed IAM Essentials. Now, in this article, we will be discussing IAM policies. We will also try to understand how to interpret and write IAM policies. IAM policies are an essential component of assigning permissions to AWS IAM users, Groups, and Roles.

IAM Policies

A policy is a document that formally states one or more permissions. Now, the permissions are required to interact with AWS resources through things like AWS Console, AWS SDK, and AWS CLI.

There are two types of permissions that we can apply, i.e., "explicit deny" and "explicit allow" in our policies.

Explicit deny will always override explicit allow.

Let’s see an example of IAM policies.

IAM Policis In AWS Account And Service Layer 

The above policy says you should allow all actions to all resources.

IAM Policis In AWS Account And Service Layer 

The above policy says you should not allow any action to be taken on any resource.

Now, if you apply both the policies to a user, it will have no access to AWS resources. It is because explicit deny always overrides explicit allow. Now, let’s understand this in more depth.

Suppose you have an employee who takes leave or has left the job, and after a few months, he/she joins you again. Now, you do not have to provide him/her access which you have already provided. In this case, you assign that user “deny all” policy which does not allow him/her to access anything irrespective of what all access he/she already has.

The best thing about IAM policies is that they get applied immediately.

Now, the next thing which we will be discussing is IAM provides pre-built policy templates to assign to the user or groups.

The managed policies of AWS are,

  • Administrator Access - Full access to ALL AWS resources
  • Power user Access - Admin access except it does not allow user/group management
  • Read-only Access - Only view AWS resources like a user can view what is inside an S3 bucket.

IAM Policis In AWS Account And Service Layer 

Now, let’s understand each of these in detail.

Administrator Access

In this, the user will get full access to all AWS resources. Below is an example of the same.

IAM Policis In AWS Account And Service Layer 

When you open this in the console, then it gives you details as shown in the below image.

IAM Policis In AWS Account And Service Layer 

Now, let’s look at JSON.

IAM Policis In AWS Account And Service Layer 

AWS policies are made up of statements, however, one policy can have one or more statements.

Now, inside the statements, you can have

  • Effect
  • Action
  • Resource

Now, in the above case, the effect of the policy is Allow and its action is * which means any action.

Resource is also * which means any resource.

Essentially, this policy allows any action to be taken on any resource. Now, let’s look at AmazonS3ReadOnlyAccess.

IAM Policis In AWS Account And Service Layer 

Now, if you will look into policy summary, you will find that it allows you to use only one of 166 resources; i.e., S3 and access level is limited to List.

Now, let’s look at the JSON,

IAM Policis In AWS Account And Service Layer
Above JSON is the same as we already discussed, except Action which states S3:Get and S3:List; i.e., with the help of this, a user can list the object or list buckets.

Now, we can create our own custom policies.

IAM Policis In AWS Account And Service Layer 

Inside the "Create Policy" window (shown below) which is also called Policy Generator, you can use visual editor or JSON editor for creating the policies.

IAM Policis In AWS Account And Service Layer
 
Now, for JSON editor, you need to have a complete understanding of syntax which are required for generating the IAM policies.

However, you can use the visual editor also for the same where you do not have to worry about syntax. Instead of that, you need to complete the flow.

Now, let's take an example. We want to create a policy on S3 which allows access to all buckets but only gets items in the bucket.

Now, click on service link which will help you to chose the service from the list, as shown below.

IAM Policis In AWS Account And Service Layer 

Now, type S3 in the search box, as shown below.

IAM Policis In AWS Account And Service Layer 

Now, select S3. After this, select Action to allow; i.e., Read as shown in the below image.

 IAM Policis In AWS Account And Service Layer

After this, you can use any of the APIs which are listed, as shown below.

IAM Policis In AWS Account And Service Layer 

After this, you need to specify Resource.

IAM Policis In AWS Account And Service Layer
 
In this section, you will get a warning specifying which type of resource you need to select, i.e., the bucket resource type or object resource type.
 
IAM Policis In AWS Account And Service Layer 

Now, we have created a policy which allows a list of API access to S3 bucket resources and object resource.

Now, we can set the same condition to the permission which is optional - if you want to apply MFA which is needed while using these actions or only allow access to specified actions only when a request comes from specified IP.

Now, click on the "Review Policy" button which will take you to the "Review Policy" section, as shown below.

IAM Policis In AWS Account And Service Layer 

In this section, you can specify the policy name and description. After this, click on the "Create Policy" button. Now, if you want to add permission to another service you need to perform the same process again.

Now, if you will go to the policy list screen and search for your policy, you should be able to find it.

IAM Policis In AWS Account And Service Layer 

Now, if you look at the JSON, you will get an output of the process of the policy generated in JSON.

IAM Policis In AWS Account And Service Layer 
  • More than one policies can be attached to a user or a group at the same time.
  • Policies cannot be attached to AWS resources like EC2 instance.

Now, in the next article, we will be discussing about IAM users and Groups.