Understanding IAM Policies in AWS

In my previous post, we have talked on Understanding Identity & Access Management and How to set up AWS Identity and Access Management (IAM). Diving further into IAM, in this post, we would be looking at understanding the basics of IAM policy.

A little recap: Policies are regulations, set of permissions which you apply to a user, group or role. Only access stated will be granted.

AWS provides both AWS Managed Policies and customized or personalized policies to suit your needs. AWS managed policies has its limitations and may not fit your every need so there goes the need to create our own personalized or custom policy.

Remember that as a good practice you should only allow the required access to AWS resources, it is not always the case with this.

We will look at a demo EC2 example below where we want the application running on the EC2 instance to be able to put/get files from AWS S3 bucket and publish the logs. The following custom policy document looks like this.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::myappbucket"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject"
],
"Resource":"arn:aws:s3:::myappbucket/*"
}
]
}

Policy documents are formatted in JSON and the version is always defined. The policy contains statements. Each statement contains:

  1. Effect — Allow or Deny

The four statements in our custom policy do the following.

  1. Effect: The first statement grants only the required access. This is very essential and should be taken into consideration when creating IAM policies. So, the first statement creates LogGroup, create LogStream, put Log Events and obtain the Log Streams it does not get the Log Events.

Conclusion

We have just grasped the concept of IAM policies in this post. And therefore, this gives you an indication of how good this potential could be to make the implementation safer and more stable.

For More Insights

Software engineer, Technical writer. I enjoy the synergy of writing and technology