AWS Classroom Series – 19/Nov/2020

IAM Policy grammar

  • Refer Here for official docs
  • IN AWS access will be given to User, Group or role by assigning IAM Policy.
  • There are AWS Managed IAM Policies and we can create custom policies
  • Lets try to create Custom policies Refer Here
policy  = {
     <version_block?>
     <id_block?>
     <statement_block>
}

<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = { 
    <sid_block?>,
    <principal_block?>,
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")  

<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :   
    [<principal_id_string>, <principal_id_string>, ...]

<action_block> = ("Action" | "NotAction") : 
    ("*" | [<action_string>, <action_string>, ...])

<resource_block> = ("Resource" | "NotResource") : 
    ("*" | [<resource_string>, <resource_string>, ...])

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
  • Lets write a simple skeleton of IAM Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect" : "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  • Version : Refer Here
  • Statement: Refer Here
  • For any resource which you create in AWS an Amazon Resource Name (ARN) is attached to it.
  • Scenario 1: Lets create an S3 bucket and give justice league only permission on that specific s3 bucket
    • created an s3 bucket Preview
    • Now lets write an iam policy
    • In IAM policy default action is deny
    • Lets find actions Refer Here and then Refer Here
    • Refer Here for the changes done.
    • Now create an iam policy using the json and apply to justice league Preview Preview Preview Preview Preview Preview
    • Now lets try to access s3 buckets from console Preview
    • So lets give list buckets access to this policy Refer Here for the changes done
  • Scenario 2: Create two vpcs ntier1 and ntier2. Give all access of ntier1 to avengers and ntier2 to justiceleague.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin