IAM Policy
- Access in AWS is managed by creating or using policies and attaching them to IAM identities (Users, UserGroups, Roles).
- A policy is an object in AWS that when associated with an identity or resource defines their permissions
- AWS evaluates these policies when an IAM Principal (user or role) makes a request.
- Most of the Policies in AWS are stored as JSON documents
- Refer Here for the IAM Policy Language and grammar.
policy = {
<version_block?>
<id_block?>
<statement_block>
}
<version_block> = "Version" : ("2008-10-17" | "2012-10-17")
<id_block> = "Id" : <policy_id_string>
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = {
<sid_block?>,
<principal_block?>,
<effect_block>,
<action_block>,
<resource_block>,
<condition_block?>
}
<sid_block> = "Sid" : <sid_string>
<effect_block> = "Effect" : ("Allow" | "Deny")
<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)
<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :
[<principal_id_string>, <principal_id_string>, ...]
<action_block> = ("Action" | "NotAction") :
("*" | [<action_string>, <action_string>, ...])
<resource_block> = ("Resource" | "NotResource") :
("*" | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : { <condition_map> }
<condition_map> = {
<condition_type_string> : { <condition_key_string> : <condition_value_list> },
<condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
"Version" : ("2008-10-17" | "2012-10-17")
- Id Block: Optional. It is recommended to use UUID(GUID) Refer Here
"Id": "<policy_id_string>"
"Id":"Admin_Policy"
"Id":"cd3ad3d9-2776-4ef1-a904-4c229d1642ee"
- Statement:
- This is the main element of the policy.
- This can contian a single statement or an array of staments
"Statement": [{...}, {...}]
- Each statement will have the following
<statement> = {
<sid_block?>,
<principal_block?>,
<effect_block>,
<action_block>,
<resource_block>,
<condition_block?>
}
- First Policy to give full access to some resource (in this example i have taken my s3 bucket)
{
"Version": "2012-10-17",
"Id": "FirstPolicyForLearning",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::khajadatascience.com"
}
]
}
- Lets add a second policy json to allow any thing apart from delete
{
"Version": "2012-10-17",
"Id": "SecondPolicyForLearning",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::khajadatascience.com"
},
{
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::khajadatascience.com"
}
]
}
- Refer Here
- Write a simple json policy which allows all actions on s3 and denies all actions on ec2
{
"Version": "2012-10-17",
"Id": "SecondPolicyForLearning",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*"
}
]
}
Like this:
Like Loading...