CR

13_Authorizing Users

IAM Policies for Authorization

Introduction to IAM Policies

  • AWS Identity and Access Management (IAM) uses policies to authorize access to AWS resources.
  • A policy defines permissions, enabling fine-tuning of access granted to principals (users, groups, roles).
  • Policies can be:
    • Identity-based: Attached to a user, group, or role.
      • Specify what the identity is allowed to do.
    • Resource-based: Attached to an AWS resource (e.g., Amazon S3 bucket).
      • Define who can access the resource.

Policy Structure and Evaluation

  • IAM policies are formatted as JSON documents.
  • They define permissions that are either allowed or denied.
  • Policies are evaluated when a principal makes a request to AWS.

Evaluation Logic

  1. Explicit Deny: If any applicable policy has an explicit deny, the request is denied.
  2. Explicit Allow: If there's no explicit deny and there is an explicit allow, the permission is granted.
  3. Implicit Deny: If there's no explicit allow, the request is denied by default.
  • A user is permitted only if there is no explicit deny and there is an explicit allow.
  • The order of policy evaluation does not affect the outcome.
  • If policies contradict each other, the most restrictive policy is applied.

Examples of Identity-Based and Resource-Based Policies

  • Identity-Based Policies:
    • Carlos: Broad permissions to resource X.
    • Richard: Explicit allows to resources Y and Z.
    • Managers (IAM Group): Permissions to list items on resources X, Y, and Z.
  • Resource-Based Policies:
    • Attached to resource X and resource Y.
    • Grant specific users access to each resource.

Amazon S3 Policy Example

  • Amazon S3 supports both identity-based and resource-based policies.
  • Policies work together to protect access.

Scenario

  • IAM User: Bob
  • Identity-Based Policy (attached to Bob):
    • Allows: get, put, and list APIs for S3 bucket X.
  • Resource-Based Policy (for bucket X):
    • Allows: get and list
    • Does not allow: put
  • Outcome: Bob cannot put objects into bucket X, even though his identity-based policy allows it. The resource-based policy restricts his permissions.

Key Points to Remember

  • Policies define permissions.
  • Policies can be:
    • Identity-based (attached to an IAM identity)
    • Resource-based (attached to an AWS resource)
  • Permissions and policies are either allowed or denied.
  • By default, all requests are denied (implicit deny).
  • There must be an explicit allow for access to be granted.
  • An explicit deny overrides any explicit allow.