Iam Policy Parts

Parts of an IAM Policy

JSON Document Structure

IAM Policy Document Structure

“IAM policies are stored in AWS as JSON documents. Each statement includes information about a single permission.” If a policy includes multiple statements, AWS applies a logical OR across the statements when evaluating them.

Core Elements of an IAM Policy

Element	Information
Version	Version of the policy language that you want to use
Statement	Defines what is allowed or denied based on conditions
Effect	Allow or deny
Principal	For resource-based policy: the account, user, role, or federated user to allow or deny access to. For identity-based policy: the principal is implied as the user or role that the policy is attached to
Action	Action that is allowed or denied (Example: “s3:GetObject”)
Resource	Resource or resources that the action applies to (Example: “arn:aws:sqs:us-west-2:123456789012:queue1”)
Condition	Conditions that must be met for the rule to apply (optional)

Policy Examples

Resource-Based Policy Example

{
"Version":"2012-10-17",
"Statement":[{
  "Effect":"Allow",
  "Action":["dynamoDB:*","s3:*"],
  "Resource":[
    "arn:aws:dynamodb:region:account-number-without-hyphens:table/course-notes",
    "arn:aws:s3:::course-notes-web",
    "arn:aws:s3:::course-notes-mp3/*"]
},
{
  "Effect":"Deny",
  "Action":["dynamodb:*","s3:*"],
  "NotResource":[
    "arn:aws:dynamodb:region:account-number-without-hyphens:table/course-notes",
    "arn:aws:s3:::course-notes-web",
    "arn:aws:s3:::course-notes-mp3/*"]
}]
}

First Statement: “Explicitly allow any (*) DynamoDB or S3 action on the DynamoDB table course-notes, the S3 bucket course-notes-web and any object in the S3 bucket course-notes-mp3.”

Second Statement: “Deny any (*) DynamoDB or S3 action on tables or S3 buckets except for those listed under NotResource.”

The policy uses explicit allow and explicit deny to limit access within an AWS account. “An explicit deny statement takes precedence over an allow statement.”

Identity-Based Policy Example

{
"Version":"2012-10-17",
"Statement":[{
  "Effect":"Allow",
  "Action":[
    "iam:*LoginProfile",
    "iam:*AccessKey*",
    "iam:*SSHPublicKey*"
  ],
  "Resource":[
    "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
  ]
}]
}

Action Element: Lists all the actions that are allowed by the Effect: Allow Resource Element: Lists the AWS resources that the allowed actions can be performed on

If attached to an IAM user, this policy allows the user to:

Create, delete, get, or update their own password using IAM LoginProfile actions
Create, delete, list, or update their own access key using IAM AccessKey actions
Create, delete, get, list, or update their own SSH keys using IAM SSHPublicKey actions

“The actions in the policy include wildcards, which are indicated with an asterisk (*). This format provides a convenient way to include a set of related actions.”

Cross-Account Resource-Based Policy Example

{
"Version": "2012-10-17",
"Statement": {
  "Sid": "AccountBAccess1",
  "Principal": {"AWS": "111122223333"},
  "Effect": "Allow",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
  ]
}
}

Policy Purpose: “Allow account B to take any S3 action on the DOC-EXAMPLE-BUCKET”

Created by Account A, this policy:

Grants Account B (111122223333) access to perform any Amazon S3 API operation on the specified S3 bucket
Doesn’t specify any IAM users, groups, or roles - instead specifies the entire account
Requires Account B to create an IAM user policy to allow specific users in Account B to access Account A’s bucket

Activity: IAM Policy Analysis Examples

Policy Analysis 1: Read-Only IAM Access

{
"Version":"2012-10-17",
"Statement":{
  "Effect":"Allow",
  "Action":[
    "iam:Get*",
    "iam:List*"
  ],
  "Resource":"*"
}
}

Analysis Questions & Answers:

Which AWS service does this policy grant access to? The IAM service
Does the policy allow creating IAM users, groups, policies, or roles? No. Access is limited to get and list requests - effectively read-only permissions
What specific actions does iam:Get allow?* Actions such as GetGroup, GetPolicy, and GetRole

Policy Analysis 2: Conditional EC2 Termination

{
"Version":"2012-10-17",
"Statement":[{
  "Effect":"Allow",
  "Action":"ec2:TerminateInstances",
  "Resource":"*"
},
{
  "Effect":"Deny",
  "Action":"ec2:TerminateInstances",
  "Condition":{
    "NotIpAddress":{
      "aws:SourceIp":[
        "192.0.2.0/24",
        "203.0.113.0/24"
      ]
    }
  },
  "Resource":"*"
}]
}

Analysis Questions & Answers:

Can user terminate any EC2 instance at any time without conditions? No. The policy allows the action but applies a condition
Can user terminate an EC2 instance from anywhere? No. The call must come from one of the two specified IP address ranges
If user’s IP address is 192.0.2.243, could they terminate an EC2 instance? Yes, because 192.0.2.0/24 includes addresses 192.0.2.0 through 192.0.2.255

Policy Analysis 3: Instance Type Restrictions

{
"Version":"2012-10-17",
"Statement":[{
  "Condition":{
    "StringNotEquals":{
      "ec2:InstanceType":[
        "t2.micro",
        "t2.small"]
    }
  },
  "Resource":"arn:aws:ec2:*:*:instance/*",
  "Action":[
    "ec2:RunInstances",
    "ec2:StartInstances"
  ],
  "Effect":"Deny"
}]
}

Analysis Questions & Answers:

What actions does the policy allow? It doesn’t allow any actions - the effect is to deny
If policy included {“Effect”: “Allow”, “Action”: “ec2:*”}, what would be the impact? The policy would allow full access to Amazon EC2, but would only allow launching or starting EC2 instances of type t2.micro or t2.small
Would user be able to terminate an m3.xlarge instance? Yes. The policy would only deny running or starting instances that are NOT t2.micro or t2.small

Understanding IAM policy structure and elements is essential for creating effective access controls that follow security best practices while enabling users and applications to perform their required tasks within AWS environments.