AWS Classroom Series – 19/Nov/2020

IAM Policy grammar

  • Refer Here for official docs
  • IN AWS access will be given to User, Group or role by assigning IAM Policy.
  • There are AWS Managed IAM Policies and we can create custom policies
  • Lets try to create Custom policies Refer Here
policy  = {
     <version_block?>
     <id_block?>
     <statement_block>
}

<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = { 
    <sid_block?>,
    <principal_block?>,
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")  

<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :   
    [<principal_id_string>, <principal_id_string>, ...]

<action_block> = ("Action" | "NotAction") : 
    ("*" | [<action_string>, <action_string>, ...])

<resource_block> = ("Resource" | "NotResource") : 
    ("*" | [<resource_string>, <resource_string>, ...])

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
  • Lets write a simple skeleton of IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect" : "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  • Version : Refer Here
  • Statement: Refer Here
  • For any resource which you create in AWS an Amazon Resource Name (ARN) is attached to it.
  • Scenario 1: Lets create an S3 bucket and give justice league only permission on that specific s3 bucket
    • created an s3 bucket Preview
    • Now lets write an iam policy
    • In IAM policy default action is deny
    • Lets find actions Refer Here and then Refer Here
    • Refer Here for the changes done.
    • Now create an iam policy using the json and apply to justice league Preview Preview Preview Preview Preview Preview
    • Now lets try to access s3 buckets from console Preview
    • So lets give list buckets access to this policy Refer Here for the changes done
  • Scenario 2: Create two vpcs ntier1 and ntier2. Give all access of ntier1 to avengers and ntier2 to justiceleague.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Widget by Acurax Small Business Website Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube