AWS IAM Policy

 In this article, we will learn about identity and access management (IAM) policies in Amazon Web Services. IAM in AWS is a free service that allows the owner of an AWS account known as the root to grant other users and services access to his account’s resources on his behalf. The policies in Iam allow the admin to have fine-grained control over his account resources. It calls for the admin to implement the principle of least privilege to maintain the security and privacy of his account and not get any unintended bills.

 

Each organization has a single root account. All the other users are provided access to only what they need, to perform their day-to-day job. This is the principle of least privilege. For example: You are an employee in an office. You can enter the office with your i-card, but the building does not belong to you. It is the property of the company. Then, you do not have access to all the rooms in your office. You can only enter those parts of the building that you are authorized to access.

 

IAM Policies in Amazon Web Services

An IAM policy is a JSON document that specifies permissions. Policies can be reused with different services in AWS. The same policy can be assigned to different people and teams. Policies are of two types in AWS:

• AWS managed policies – These are the policies that are provided by default in AWS. These consist of the commonly used services and the read and write permissions associated with them.

• Customer-managed policies – In case a user needs a policy that should meet their specific needs and use cases, then they can build their custom policies.

 

IAM Policy Structure

To fully understand the structure of an IAM policy, let us see the default template provided by AWS and look at all the fields one by one.

 

1. Version-ID: This is a compulsory field in a policy that is uniquely used to identify a JSON policy.

2. Statement: It defines the permission for a single resource.

3. Sid: Is short for statement id. It is a unique identifier for a statement.

4. Effect: It defines the Allow/Deny prospects to a resource.

5. Action: This is used to state what service can perform what all actions.

6. Resource: It consists of the list of resources that are impacted by the policy.

 

For example, below is the policy for an Auto Scaling Service, that allow read permission on all resources:

Now, if you attach this IAM policy to an Auto Scaling Group (ASG) service that you provision, that particular instance of ASG would have read permission on all resources.

 

Create a new policy or use an existing.

Step 1: Open the AWS Management Console

Step 2: Search for IAM in the search bar and Click the IAM icon

Step 3: Navigate to the Policies section

Step 4: Choose the policy you want to use

Step 5: Create the policy according to your needs if there isn’t one.Click on the ‘Create Policy’ Button.

The following represents the first step in creating a policy in which you can specify permissions. Choose the ‘JSON’ button in the navigation bar and the services that you want to create a policy for. Next, list the action you want to add to this policy. After successfully creating the policies, click on the ‘NEXT’ button.

Next, you can ‘Review and Create’ the policy.

Hence have we have successfully managed to create a policy.

Conclusion

Thus, in the above article, we have seen why policies are needed and their importance. Next, we looked at the definition of policies, their types and structures. Then we looked at how we can create a new policy or use an existing one. Though you can use one policy for all your needs, it is generally considered best practice that you create different policies for SDK Access, users, group and services. Also, appropriate naming conventions are very important to help distinguish one policy from another. This way, you can effectively see who has access to what, which is the real need of policies and take away any permission that someone doesn’t need anymore.

 

AWS IAM Policy – FAQ’s

I Want To Assign My Policy To a Service. What Should I Do?

To enable services to perform actions on your behalf, you must create roles and assign policies to those roles. For more information on how to create and assign roles in AWS, visit this page.

What options do I Have to Create a Policy In AWS?

AWS offers three ways to create customer managed policies. They are: the AWS management console, the AWS CLI, the AWS SDK.

How do i know if my policy is valid and it follows the principle of least privilege?

AWS provides built in syntax checks for json policies. You will not be able to create a policy with an invalid syntax at all. As for the principle of least privilege, you can make use of AWS Access Analyzer that charges a small fee to validate your policies.

How can I view logs to see which user or service sent an api call from my root account through their user account?

To view what APIs were accessed and who accessed them, you can make use of a service called AWS CloudTrail which logs all authenticated API calls to iam.

5. Can I share my account resources with another account in AWS?

AWS allows you to grant cross account resource access for some resources using iam. To do so, you can create policies and attach them directly to the resources that you intend to share. Make sure you trust the party that you grant permission to access your resources.