Rules
- If you have same action for which there is allow and there is also deny
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:*"
],
"Not Resource": ["arn:aws:s3:::khajalearning.com","arn:aws:s3:::khajalearning.com/*"]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": ["arn:aws:s3:::khajalearning.com","arn:aws:s3:::khajalearning.com/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "arn:aws:ec2:us-west-2:798279872530:instance/i-0483025fca106795c"
}
]
}
Conditions in IAM Policies
- Always refer actions section to understand which conditions can be use.
- To write condition syntax refer here
Cross-Account IAM Policies
-
AWS supports fedarated logins using IAM Identity providers which support SAML and openid based Identity Servers
-
Some examples of Identity Servers
- Windows Server 2016 AD FS
- Refer to Certified OpenID Provider Servers and Services here
Groups
- Logically grouping users and assigning policy to group so that it applies to mulitple suers
