14_IAM Policy Contents Summary

IAM Policy Contents

IAM policies are stored in AWS as JSON documents.

Statement Elements

Each policy document has one or more statement elements. A statement element includes information about a single permission.

Key Components of a Statement

• Effect: Allow or Deny

• Principal: Defines who the permission applies to. For identity-based policies, the principal is implied as the identity the policy is attached to.

• Action: Describes what is allowed or denied.

• Resource: Describes which AWS resources the action applies to.

• Condition: An optional way to provide additional context for granting or denying permissions (e.g., apply the permission only when a string value matches a specific username).

Examples

Resource-Based Policy

• Part 1: Explicitly allows any DynamoDB or S3 action on a specific DynamoDB table and S3 bucket listed in the resources section.

• Part 2: Explicitly denies access to any DynamoDB or S3 actions on all resources except for those listed under not resource.

Identity-Based Policy

• Attached to a user, group, or role.

• Allows specific IAM actions on a specified username within an AWS account.

Cross-Account Resource-Based Policy

• Created in account A.

• Grants the principal (account number of account B) permission to perform any action on an S3 bucket in account A.

Key Points to Remember

• IAM policies are stored as JSON documents.

• They include one or more statements that each define a single permission.

• Each statement describes effects, actions, and resources that together define a distinct permission.