AWS IAM Permission Policy
Jump to navigation
Jump to search
An AWS IAM Permission Policy is an access policy for an AWS resource.
- Context:
- It can (typically) be attached to an AWS IAM Role.
- It can be represented as a JSON Document.
- It can consist of one or more statements, each of which describes one set of permissions.
- It can (typically) specify AWS Policy Actions: What actions you will allow. Each AWS service has its own set of actions. For example, you might allow a user to use the Amazon S3 ListBucket action, which returns information about the items in a bucket. Any actions that you don't explicitly allow are denied.
- It can (typically) specify AWS Policy Resources: Which resources you allow the action on. For example, what specific Amazon S3 buckets will you allow the user to perform the ListBucket action on? Users cannot access any resources that you have not explicitly granted permissions to.
- It can (typically) specific AWS Policy Effects: What the effect will be when the user requests access — either allow or deny. The default is that resources are denied to users.
- Example(s):
- AmazonEC2FullAccess[1], for the ec2 Action.
- AmazonS3FullAccess, for the s3 Action.
- AmazonRoute53ReadOnlyAccess, for the route53 action.
{ "Version": "2012-10-17", "Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
} }
- See: AWS IAM Role.
References
2017
- http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
- QUOTE: A policy is a document that formally states one or more permissions.
To assign permissions to a user, group, role, or resource, you create a policy, which is a document that explicitly lists permissions. In its most basic sense, a policy lets you specify the following:
- Actions: what actions you will allow. Each AWS service has its own set of actions. For example, you might allow a user to use the Amazon S3 ListBucket action, which returns information about the items in a bucket. Any actions that you don't explicitly allow are denied.
- Resources: which resources you allow the action on. For example, what specific Amazon S3 buckets will you allow the user to perform the ListBucket action on? Users cannot access any resources that you have not explicitly granted permissions to.
- Effect: what the effect will be when the user requests access — either allow or deny. Because the default is that resources are denied to users, you typically specify that you will allow users access to resource.
- QUOTE: A policy is a document that formally states one or more permissions.
2017b
- …
- QUOTE: … Amazon Lex now supports IAM service-linked roles. Service-linked roles are a new type of role (still in preview) that makes it easier to grant AWS services, such as Amazon Lex, permissions to manage AWS resources on your behalf.
2016
- http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
- QUOTE: To assign permissions to a user, group, role, or resource, you create a policy, which is a document that explicitly lists permissions. In its most basic sense, a policy lets you specify the following:
- Actions: what actions you will allow. Each AWS service has its own set of actions. For example, you might allow a user to use the Amazon S3 ListBucket action, which returns information about the items in a bucket. Any actions that you don't explicitly allow are denied.
- Resources: which resources you allow the action on. For example, what specific Amazon S3 buckets will you allow the user to perform the ListBucket action on? Users cannot access any resources that you have not explicitly granted permissions to.
- Effect: what the effect will be when the user requests access — either allow or deny. Because the default is that resources are denied to users, you typically specify that you will allow users access to resource.
- … Policies are documents that are created using JSON. A policy consists of one or more statements, each of which describes one set of permissions.
- … IAM policies control access regardless of the interface. For example, you could provide a user with a password to access the AWS Management Console, and the policies for that user (or any groups the user belongs to) would control what the user can do in the AWS Management Console. Or, you could provide the user with AWS access keys for making API calls to AWS, and the policies would control what actions the user could call through a library or client that uses those access keys for authentication.
- … You can attach more than one policy to an entity. If you have multiple permissions to grant to an entity, you can put them in separate policies, or you can put them all in one policy.
- … Generally, each statement in a policy includes information about a single permission. If your policy includes multiple statements, a logical OR is applied across the statements at evaluation time. Similarly, if multiple policies are applicable to a request, a logical OR is applied across the policies at evaluation time.
- … Users often have multiple policies that apply to them (but aren't necessarily attached to them). For example, IAM user Bob could have policies attached to him, and other policies attached to the groups he's in. In addition, he might be accessing an Amazon S3 bucket that has its own bucket policy (resource-based policy). All applicable policies are evaluated and the result is always that access is either granted or denied. For more information about the evaluation logic we use, see IAM Policy Evaluation Logic.
- … Policies often include multiple statements, where each statement grants permissions to a different set of resources or grants permissions under a specific condition.
- QUOTE: To assign permissions to a user, group, role, or resource, you create a policy, which is a document that explicitly lists permissions. In its most basic sense, a policy lets you specify the following: