AWS IAM Policies with Examples

Girish V P
Jun 15, 2018 · 3 min read

You know, Administrator adds the users, the groups, authorises the users for the resources and so on… It is up to an Administrator to allow the access and to regulate it. In AWS, IAM service does this for you. Root user is an only Administrator at the launch of your AWS account. It is not practical to approach him for every simple user access. No second admin!!! This forces the root user to create delegated administrators for the set of resources, restrict the users in terms of Region, IP address, S3 buckets etc. We can see them with some examples.

AWS Policies are of two kinds.

Identity based policies: The identity based policy is the one which can be attached directly with AWS identities like user, group or a role. IAM policy is an example of that. These policies can be AWS managed or a customer managed.

Resource based policies: Resource based policies are the ones which can be directly attached to the AWS resource like S3( called Amazon S3 bucket policy). Resource based policies are available only for certain services.

IAM Policy Structure

There are two ways you can create IAM policies from IAM web console . Visual Editor and a character based JSON policy editor. However, we focus on JSON policy which can give fine grained customised control over the resources. Once the policy is created it can be attached to user, group or role. The JSON policy document consist of following elements:

Effect –Allow or Deny access to the resource is decided by Effect (Allow/Deny)

Action — A set of service specific parameters (like “iam:CreateUser”).

Resource — Resource names (like “arn:aws:s3:::conf-* “)

Condition (Optional) — Grant conditions (like “aws:RequestedRegion”: “ap-south-1”)

IAM Policy Evaluation

  • By default, all requests are denied except for root.
  • An explicit allow overrides this default.
  • An explicit deny overrides any allows.

Note: if you have configured AWS Organization with SCP ( Service Control Policies), it filters the access in a service level. IAM policy cannot override SCP.

Let us see some of the useful IAM policies.

User related: Creation of a delegated Account Operator

Policy 1: Delegate read permission for IAM components.

{“Version”: “2012–10–17”,“Statement”: {“Effect”: “Allow”,“Action”: [“iam:Get*”,“iam:List*”],“Resource”: “*”}}

Policy 2: Delegates Account Operator who can create the user. Remember, htat he is not yet been given right to add the user to a group yet.(for that attach policy 3)

{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:ListUsers","iam:ListGroups","iam:GetGroup","iam:CreateUser","iam:UpdateUser","iam:DeleteUser","iam:CreateVirtualMFADevice","iam:EnableMFADevice","iam:DeactivateMFADevice","iam:DeleteVirtualMFADevice","iam:CreateLoginProfile","iam:UpdateLoginProfile","iam:DeleteLoginProfile"],"Resource": "*"},{"Effect": "Allow","Action": ["iam:GetAccount*","iam:ListAccount*"],"Resource": "*"}]}

Policy 3: Delegates Account Operator to add the user to groups Developers and Operators only. (you may have to combine above two policies to get all the relevant permissions)

{“Version”: “2012–10–17”,“Statement”: {“Effect”: “Allow”,“Action”: [“iam:AddUserToGroup”,“iam:RemoveUserFromGroup”,“iam:GetGroup”],“Resource”: [“arn:aws:iam::609103258633:group/Developers”,“arn:aws:iam::609103258633:group/Operators”]}}

Region related

Policy 4: User is allowed to access EC2 resources from ap-south-1 ( Mumbai) only

{“Version”: “2012–10–17”,“Statement”: [{“Effect”: “Allow”,“Action”: [“ec2:*”],“Resource”: “*”,“Condition”: {“StringEquals”: {“aws:RequestedRegion”: “ap-south-1”}}}]}

Policy 5: EC2 service is available only when the user accesses the AWS web console from an IP address A.B.C.D(replace A.B.C.D with your public IP )

{“Version”: “2012–10–17”,“Statement”: {“Effect”: “Allow”,“Action”: “EC2:*”,“Resource”: “*”,“Condition”: {“IpAddress”: {“aws:SourceIp”: []}}}}

S3 Related

Policy 6: A power user is prevented from accessing/deleting any bucket starting with a name “conf-“. Assuming the user has full permission for the bucket before applying this policy.

{“Version”: “2012–10–17”,“Statement”: [{“Sid”: “VisualEditor1”,“Effect”: “Deny”,“Action”: “s3:*”,“Resource”: [“arn:aws:s3:::conf-*”,“arn:aws:s3:::conf-*/*”]}]}

Conclusion: We have identified two type of AWS policies, identity based and resource based and have gone through policy structure and permission evaluation sequences. Now you have some sample AWS policies also to run on your AWS infrastructure!

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security, AWS

Girish V P

Written by

Tensult Blogs

Stories on Cloud computing, Analytics, Automation and Security, AWS

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade