AWS Classroom Series – 30/Jul/2020

IAM JSON Policy Grammar

• Refer Here for official documentation
• IAM Policy Basic structure would be

{
    "Version": ("2008-10-17" | "2012-10-17")
    "Id": <policy id string>
    "Statement": [
        <statement-1>,
        <statement-2>
        ..
        ..
        <statement-n>
    ]
}

• Statement structure would be

{
    "Sid": <sid_string>,
    "Effect": ("Allow" | "Deny")
    "Principal": {
        <principal map entry>,
        ...
        <principal map entry>
    },
    "NotPrincipal": {
        <principal map entry>,
        ...
        <principal map entry>
    },
    "Action": [
        <actionstring>
    ]
}

IAM Json Policy Elements

• Version: This element specifies the language syntax rules

"Version": "2012-10-17"

• Id: This element is optional, Organizations use ID to ensure uniqueness. AWS recommends using UUID(GUID) as ID
• Statement:
  • This is main element for a policy & is a required element
  • Statement element can contain a single statement or multiple statements.
  • Each statement defines authorization for user/role/for any principal by giving Effect as ALLOW or Deny over actions

  {
      "Effect": "Allow",
      "Action": "*",
      "Resource": *
      
  }
  

  • Default value of Effect is "Deny"
  • Principal: this element in a policy specifies the principal that is allowed or denied an access to a resource. You can specify any of the following as principals
    • AWS account
    • IAM user
    • Federated user
    • IAM roles
    • AWS Services
  • For any thing which you create in AWS there will be a unique identifier, for resources like EC2, S3 etc we call it as ARN (Amazon Resource Name) and Principals also will have ARN (Amazon Resource Name)
  • Resource: Which resource you are allowing/denying the access in a statement. Resource are identified as ARNs

Amazon Resource Name (ARNs)

• Refer Here for official docs
• used to uniquely identify AWS resources.
• Format: Refer Here

Lets find the ARN for s3 bucket

• Sample bucket
• Documentation Refer Here
• From documentation the format is
• So the ARN for S3 bucket mentioned above would be

arn:aws:s3:::referenceappkhaja

Now lets find the ARN for EC2 instance

• Sample ec2 instance
• Refer Here
• To find arn for ec2 instance follow the navigation as shown below
• My format of ARN is

arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
${Partition} = aws
${Region} = us-west-2
${Account} = <your account id>
${InstanceId} = i-0a08c4b370aaabb42

arn:aws:ec2:us-west-2:<your-account-id>:instance/i-0a08c4b370aaabb42

Now lets find the ARN for EBS Volume

• Sample Volume
• We found this format
• Now find ARN for AWS RDS instance
• Now lets find ARN for AWS IAM USER

Next Steps

• On Resources we can perform actions and when we define IAM policy we have to create authorization to some user to allow all actions or some actions or deny all actions or deny some actions.
• For that we need to understand actions available in Resources, to make our policy effective.