How to Create an IAM Policy

Photo by Susan Q Yin on Unsplash

How to Create an IAM Policy

Table of contents

  1. What is an IAM in AWS?

  2. What are IAM Policies?

  3. Types of IAM Policies

  4. Hands-On Lab Overview

  5. Hands-On

  6. References

What is an IAM in AWS?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

What are IAM Policies?

IAM (Identity and Access Management) policies in AWS are JSON documents that define permissions and access control rules. IAM policies determine what actions are allowed or denied on AWS resources and can be attached to users, groups, or roles.

IAM policies consist of one or more statements, where each statement includes:

  • Effect: Specifies whether the policy statement allows or denies access. It can be set to Allow or Deny.

  • Action: Defines the actions that are allowed or denied. Actions are AWS service-specific operations (e.g., s3:GetObject, ec2:RunInstances).

  • Resource: Specifies the AWS resources to which the policy applies. Resources can be specific ARNs (Amazon Resource Names) or wildcards to cover multiple resources.

  • Condition (optional): Provides additional conditions that must be met for the policy statement to be evaluated as Allow or Deny. Conditions can be based on factors such as time, IP address, or the presence of specific tags.

IAM policies are written in JSON format and can be as simple as a single statement or complex with multiple statements and conditions. By combining multiple policies, you can create granular access control and define fine-grained permissions for your AWS resources.

It's important to regularly review and update IAM policies to ensure that users, groups, and roles have the appropriate level of access to AWS resources while following the principle of least privilege.

Types of IAM Policies

IAM (Identity and Access Management) policies in AWS can be categorized into three types based on how they are created and managed:

  1. AWS Managed Policies:

    • AWS provides a set of pre-defined policies known as AWS-managed policies.

    • These policies cover common use cases and best practices for accessing AWS services and resources.

    • AWS-managed policies are created and managed by AWS, and you can attach them to IAM users, groups, or roles in your account.

    • They are maintained and updated by AWS, ensuring you receive the latest policy improvements and new features.

    • Examples of AWS-managed policies include AmazonS3FullAccess, AmazonEC2FullAccess, and AdministratorAccess.

  2. Customer Managed Policies:

    • Custom policies are standalone policies that can be created and managed separately from the IAM user, group, or role.

    • They are customer-managed and can be reused across multiple IAM users, groups, or roles within your AWS account.

    • Custom policies offer flexibility and can be associated with multiple entities.

    • They can be created, modified, and deleted independently from the entities they are attached to.

    • If you delete an IAM user, group, or role, any custom policies associated with them remain unaffected.

    • Custom policies are useful when you want to define consistent permissions across multiple entities or when you need more control and granularity in managing policies.

    • You can create and manage customer-managed policies using the AWS Management Console, AWS CLI, or AWS SDKs.

    • You have full control over the content and management of these policies.

    • This type of policy is useful when you need to define granular permissions for your resources that are not covered by AWS-managed policies.

  3. Inline Policies:

    • Inline policies are custom policies that are created and managed directly on individual IAM users, groups, or roles.

    • They are embedded within the entity (user, group, or role) and cannot be detached or reused.

    • Inline policies are managed and edited alongside the entity to which they are attached.

    • If you delete the IAM user, group, or role, the inline policy associated with it is also deleted.

    • Inline policies are useful when you want to grant specific and unique permissions to a particular entity.

    • Inline policies can be created and edited directly in the IAM console or through AWS CLI and SDKs.

    • They provide a way to define policies that are closely tied to a specific user, group, or role, but they are not reusable across multiple entities.

Both customer-managed policies and inline policies offer a higher level of customization compared to AWS-managed policies, allowing you to define precise permissions for your AWS resources. When choosing between customer-managed policies and inline policies, consider whether the policy is intended for reuse across multiple entities or if it is specific to a single entity.

By leveraging these different types of IAM policies, you can effectively manage and control access to your AWS resources, following the principle of least privilege and aligning with your organization's security requirements.

Hands-On Lab Overview

In this hands-on lab, we will attach policies to individual users and groups using AWS Management Console.

Add policies via AWS Management Console

To attach a policy to the individual user or group in AWS IAM, follow these steps:

  • Sign in to the AWS Management Console (console.aws.amazon.com) using your AWS account credentials.

  • Search for "IAM" in the AWS Management Console search bar and open the IAM service;

  • In the IAM console, click on either "Users" or "Groups" in the left-hand navigation pane.

  • Locate the specific user or group to which you want to attach the policy and click on its name to access its details page.

  • To attach policies to an individual user, click on the "Permissions" tab on the user's details page.

  • In the "Permissions" tab, click on the "Add permissions" dropdown button. You will see 2 options: "Add permissions" and "Create inline policies"

  • Click on the "Add permissions" option. You can "Attach policies directly" or you can "Add user to group", and make the user inherit policies from the group.

  • When you attach policies directly, you will see a dialog box with a list of all the available AWS-managed policies and search for the specific policy in the search bar.

  • Review and validate:

    • Once policies are attached, review the user or group's permissions and ensure they align with the desired access requirements.

    • Validate the attached policies by testing the user or group's access to the intended AWS resources.

References

  1. What is IAM

  2. What are AWS-managed policies?