Understanding IAM Policies in AWS

In my previous post, we have talked on Understanding Identity & Access Management and How to set up AWS Identity and Access Management (IAM). Diving further into IAM, in this post, we would be looking at understanding the basics of IAM policy.

A little recap: Policies are regulations, set of permissions which you apply to a user, group or role. Only access stated will be granted.

AWS provides both AWS Managed Policies and customized or personalized policies to suit your needs. AWS managed policies has its limitations and may not fit your every need so there goes the need to create our own personalized or custom policy.

Remember that as a good practice you should only allow the required access to AWS resources, it is not always the case with this.

We will look at a demo EC2 example below where we want the application running on the EC2 instance to be able to put/get files from AWS S3 bucket and publish the logs. The following custom policy document looks like this.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::myappbucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject"
],
"Resource":"arn:aws:s3:::myappbucket/*"
}
]
}

Policy documents are formatted in JSON and the version is always defined. The policy contains statements. Each statement contains:

  1. Effect — Allow or Deny
  2. Action — API calls
  3. Resource — on which resource this statement has an effect
  4. Condition — in which situation this statement is applied

The four statements in our custom policy do the following.

  1. Effect: The first statement grants only the required access. This is very essential and should be taken into consideration when creating IAM policies. So, the first statement creates LogGroup, create LogStream, put Log Events and obtain the Log Streams it does not get the Log Events.
  2. Action: list of all AWS buckets is given in the second statement. Due to the way S3 access operates, this is needed. (Acts more like an API call). You must be able to reach the bucket first before you can gain access to it.
  3. Resource: The third statement also helps in reaching till it gets to the bucket.
  4. Condition: The last statement specifies that put and get are allowed on a specific bucket. If an entity with which this policy is associated tries to do a get on another S3 bucket, it will be denied access.

Conclusion

We have just grasped the concept of IAM policies in this post. And therefore, this gives you an indication of how good this potential could be to make the implementation safer and more stable.

For More Insights

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store