AWS Classroom Series – 30/Jul/2020

IAM JSON Policy Grammar

  • Refer Here for official documentation
  • IAM Policy Basic structure would be
    "Version": ("2008-10-17" | "2012-10-17")
    "Id": <policy id string>
    "Statement": [
  • Statement structure would be
    "Sid": <sid_string>,
    "Effect": ("Allow" | "Deny")
    "Principal": {
        <principal map entry>,
        <principal map entry>
    "NotPrincipal": {
        <principal map entry>,
        <principal map entry>
    "Action": [

IAM Json Policy Elements

  • Version: This element specifies the language syntax rules
"Version": "2012-10-17"
  • Id: This element is optional, Organizations use ID to ensure uniqueness. AWS recommends using UUID(GUID) as ID
  • Statement:
    • This is main element for a policy & is a required element
    • Statement element can contain a single statement or multiple statements.
    • Each statement defines authorization for user/role/for any principal by giving Effect as ALLOW or Deny over actions
        "Effect": "Allow",
        "Action": "*",
        "Resource": *
    • Default value of Effect is "Deny"
    • Principal: this element in a policy specifies the principal that is allowed or denied an access to a resource. You can specify any of the following as principals
      • AWS account
      • IAM user
      • Federated user
      • IAM roles
      • AWS Services
    • For any thing which you create in AWS there will be a unique identifier, for resources like EC2, S3 etc we call it as ARN (Amazon Resource Name) and Principals also will have ARN (Amazon Resource Name)
    • Resource: Which resource you are allowing/denying the access in a statement. Resource are identified as ARNs

Amazon Resource Name (ARNs)

Lets find the ARN for s3 bucket
  • Sample bucket Preview
  • Documentation Refer Here
  • From documentation the format is Preview
  • So the ARN for S3 bucket mentioned above would be
Now lets find the ARN for EC2 instance
  • Sample ec2 instance Preview
  • Refer Here
  • To find arn for ec2 instance follow the navigation as shown below Preview Preview Preview Preview
  • My format of ARN is
${Partition} = aws
${Region} = us-west-2
${Account} = <your account id>
${InstanceId} = i-0a08c4b370aaabb42

Now lets find the ARN for EBS Volume
  • Sample Volume Preview
  • We found this format Preview
  • Now find ARN for AWS RDS instance Preview
  • Now lets find ARN for AWS IAM USER Preview

Next Steps

  • On Resources we can perform actions and when we define IAM policy we have to create authorization to some user to allow all actions or some actions or deny all actions or deny some actions.
  • For that we need to understand actions available in Resources, to make our policy effective.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin