The-Ramadhan

IAM Policy

#aws#iam

IAM Policy is a JSON document that when associated with an Identity, it defines their permissions.

Policy Structure

{
	"version": "2012-10-17",
	"statement": [
		{
			"sid": "identifier (optional)",
			"principal": "identity or service or account that make request",
			"effect": "allow or deny",
			"resource": "target of action",
			"condition": "list of condition (if any) that make this policy applied"
		},
		// another statement, if any
	]
}

IAM Policy Priority

  1. Explicit Deny
  2. Explicit Allow
  3. Implicit Deny (default)

Policy Type

Inline Policy

Policy that tied to IAM Identity. This type of policy is not reusable.

Inline policy can be useful in a situation where we need to give exceptional Allow or Deny to an Identity.

Managed Policy

Managed policy is standalone. Each policy has its own ARN. It can be attach to one or more IAM identity.

There’s two types of this policy:

  • AWS Managed
    • Created and Administer by AWS
    • Provide permission for common use case
    • Permission define in the policy can’t be changed
    • The permission is updated occasionally by AWS team
    • Can be attach in multiple account
  • Customer Managed
    • Create by customer on demand
    • Can be customized following customer needs
    • Only applied to a single account

Benefits:

  • Reusable
  • Low management overhead
  • Centralize control of permission management