What are IAM Policies in AWS

In the previous post we’ve already seen What is IAM, IAM Components, IAM Role vs User, How to create IAM User in AWS step by step, In this post we will be seeing What are IAM Policies in AWS.

Policy: Policy defines Authorization for Users and Roles. User/Roles creates Authentication whereas policy attached to user/role defines authorization. It defines the level of access you will be having inside AWS.

Policies are define in a JSON Document.

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

Policies in AWS are of two types.

1. AWS Managed Policies: Generic policies which are created by Amazon are refereed as AWS managed policies.
2. Customer Managed Policies: Policies created by User is Customer Managed Policies.

On the left corner you can see Policy types.

Let us now see Sample Policy created by AWS, It has full access (Admin access).

Now let us try to understand each line.

1. Version: The Version policy element specifies the language syntax rules that are to be used to process a policy. To use all of the available policy features, include the following Version element before the Statement element in all of your policies.

"Version": "2012-10-17"

IAM supports the following Version element values:

• 2012-10-17. This is the current version of the policy language, and you should always include a Version element and set it to 2012-10-17. Otherwise, you cannot use features such as policy variables that were introduced with this version.
• 2008-10-17. This was an earlier version of the policy language. You might see this version on older existing policies. Do not use this version for any new policies or when you update any existing policies.

2. Statement: The Statement element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].

"Statement": [{...},{...},{...}]

3. Effect: The Effect element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are Allow and Deny.

"Effect":"Allow"

By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow.

4. Action: The Action element describes the specific action or actions that will be allowed or denied. You specify a value using a service namespace as an action prefix (iam, ec2, sqs, sns, s3, etc.) followed by the name of the action to allow or deny.

Amazon EC2 action

"Action": "ec2:StartInstances"

You can use a wildcard (*) to give access to all the actions the specific AWS product offers. For example, the following Action element applies to all S3 actions.

"Action": "s3:*"

4. Resource: The Resource element specifies the object or objects that the statement covers.

Each service has its own set of resources. Although you always use an ARN to specify a resource, the details of the ARN for a resource depend on the service and the resource.

Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.

The following example refers to the IAM user named Bob in an AWS account.

For more info refer this

"Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob"

So, this is What IAM Policies are in the next blog we will be seeing How to Write Custom IAM Policies.