AWS Classroomnotes 07/Apr/2022

IAM Policy

  • Access in AWS is managed by creating or using policies and attaching them to IAM identities (Users, UserGroups, Roles).
  • A policy is an object in AWS that when associated with an identity or resource defines their permissions
  • AWS evaluates these policies when an IAM Principal (user or role) makes a request.
  • Most of the Policies in AWS are stored as JSON documents
  • Refer Here for the IAM Policy Language and grammar.
policy = {
    <version_block?>
    <id_block?>
    <statement_block>
}


<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = { 
    <sid_block?>,
    <principal_block?>,
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")  

<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>)

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") :   
    [<principal_id_string>, <principal_id_string>, ...]

<action_block> = ("Action" | "NotAction") : 
    ("*" | [<action_string>, <action_string>, ...])

<resource_block> = ("Resource" | "NotResource") : 
    ("*" | [<resource_string>, <resource_string>, ...])

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")
  • Version Block: Optional
"Version" : ("2008-10-17" | "2012-10-17")
  • Id Block: Optional. It is recommended to use UUID(GUID) Refer Here
"Id": "<policy_id_string>"

"Id":"Admin_Policy"

"Id":"cd3ad3d9-2776-4ef1-a904-4c229d1642ee"
  • Statement:
    • This is the main element of the policy.
    • This can contian a single statement or an array of staments
      "Statement": [{...}, {...}]
    • Each statement will have the following
      <statement> = {
      <sid_block?>,
      <principal_block?>,
      <effect_block>,
      <action_block>,
      <resource_block>,
      <condition_block?>
      }
  • First Policy to give full access to some resource (in this example i have taken my s3 bucket)
{
    "Version": "2012-10-17",
    "Id": "FirstPolicyForLearning",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  "*",     
            "Resource": "arn:aws:s3:::khajadatascience.com"
        }

    ]
}
  • Lets add a second policy json to allow any thing apart from delete
{
    "Version": "2012-10-17",
    "Id": "SecondPolicyForLearning",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  "*",     
            "Resource": "arn:aws:s3:::khajadatascience.com"
        },
        {
            "Effect": "Deny", 
            "Action":  "s3:DeleteBucket",    
            "Resource": "arn:aws:s3:::khajadatascience.com"
        }

    ]
}
  • Refer Here
  • Write a simple json policy which allows all actions on s3 and denies all actions on ec2
{
    "Version": "2012-10-17",
    "Id": "SecondPolicyForLearning",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner