Preparing For AWS Solution Architect Certifications – IAM Policy explained
With IAM identity-based policies, you can specify allowed or denied actions. For some actions, you can specify the resources and conditions under which actions are allowed or denied. Amazon VPC supports specific actions, resources, and condition keys.
Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
Following an example of policy JSON:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ "Version": "2012-10-17", "Statement": { "Sid": "AllowRemoveMfaOnlyIfRecentMfa", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}", "Condition": { "NumericLessThanEquals": {"aws:MultiFactorAuthAge": "3600"} } } } |
Sid and Effect
The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy.
The Effect element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are Allow and Deny.
Actions
The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. Amazon VPC shares its API namespace with Amazon EC2. Policy actions in Amazon VPC use the following prefix before the action: ec2:. For example, to grant someone permission to create a VPC with the Amazon EC2 CreateVpc API operation, you include the ec2:CreateVpc action in their policy. Policy statements must include either an Action or NotAction element.
1 2 3 4 |
"Action": [ "ec2:action1", "ec2:action2" ] |
You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word Describe, include the following action.
1 |
"Action": "ec2:Describe*" |
Resources
The Resource JSON policy element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. As a best practice, specify a resource using its Amazon Resource Name (ARN). For actions that don’t support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
An example of a VPC resource:
1 |
"Resource": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-1234567890abcdef0" |
To specify all VPCs that belong to a specific account, use the wildcard (*):
1 |
"Resource": "arn:aws:ec2:us-east-1:123456789012:vpc/*" |
Many Amazon EC2 API actions involve multiple resources. To specify multiple resources in a single statement, separate the ARNs with commas.
1 2 3 4 |
"Resource": [ "resource1", "resource2" ] |
Condition keys
The Condition element (or Condition block) lets you specify conditions in which a statement is in effect. The Condition element is optional. You can create conditional expressions that use condition operators, such as equals or less than, to match the condition in the policy with values in the request.
If you specify multiple Condition elements in a statement or multiple keys in a single Condition element, AWS evaluates them using a logical AND operation. If you specify multiple values for a single condition key, AWS evaluates the condition using a logical OR operation. All of the conditions must be met before the statement’s permissions are granted. ou can also use placeholder variables when you specify conditions.
AWS supports global condition keys and service-specific condition keys. Global condition keys are condition keys with an AWS: prefix. AWS services can support global condition keys or provide service-specific keys that include their service prefix. For example, IAM condition keys include the iam: prefix. Furthers here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html (Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)
Source: https://docs.aws.amazon.com/vpc/latest/userguide/security_iam_service-with-iam.html
Not Action and Not Resources
NotResource is an advanced policy element that explicitly matches every resource except those specified. Using NotResource can result in a shorter policy by listing only a few resources that should not match, rather than including a long list of resources that will match. This is particularly useful for policies that apply within a single AWS service.
NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match. When using NotAction, you should keep in mind that actions specified in this element are the only actions in that are limited.
Data Types
A policy variable is a feature that lets you specify placeholders in a policy. When the policy is evaluated, the policy variables are replaced with values that come from the context of the request itself.
You can tag IAM identities to simplify discovering, organizing, and tracking your IAM resources. You can also tag IAM identities to control access to resources or to tagging itself.
Policies contain keys whose values you can use as policy variables.
- aws:CurrentTime This can be used for conditions that check the date and time.
- aws:EpochTime This is the date in epoch or Unix time, for use with date/time conditions.
- aws:TokenIssueTime This is the date and time that temporary security credentials were issued and can be used with date/time conditions. Note: This key is only available in requests that are signed using temporary security credentials. For more information about temporary security credentials, see Temporary security credentials in IAM.
- aws:PrincipalType This value indicates whether the principal is an account, user, federated, or assumed role
- aws:SecureTransport This is a Boolean value that represents whether the request was sent using SSL.
- aws:SourceIp This is the requester’s IP address, for use with IP address conditions. Refer to IP address condition operators for information about when SourceIp is valid and when you should use a VPC-specific key instead.
- aws:UserAgent This value is a string that contains information about the requester’s client application. This string is generated by the client and can be unreliable. You can only use this context key from the AWS CLI.
- aws:userid This value is the unique ID for the current user
- aws:username This is a string containing the friendly name of the current user—see the chart that follows.
- ec2:SourceInstanceARN This is the Amazon Resource Name (ARN) of the Amazon EC2 instance from which the request is made. This key is present only when the request comes from an Amazon EC2 instance using an IAM role associated with an EC2 instance profile.
Source and furthers: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
Other sources:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html