IAM - Policies

AWS Policies

AWS policies, as the name implies, allow you to set permissions to access your AWS resources. This is essential for controlling who can do what with your AWS services.

There are two types of policies :

  • Resource based policy (This can be applied to specific services (not all supports this) )
  • Identity based policy (This can be applied to users,groups and roles)

Example Policy for Full Access to S3

Let's suppose we want to provide full access to the S3 resource. Here's an example policy:




  • Version: The version number of the policy language.
  • Statement: The key part of the policy. Each statement includes:
    • Effect: Can be either Allow or Deny.
    • Action: Specifies the actions that are allowed. The s3:* wildcard means all actions on Amazon S3 are allowed, including creating, listing, and deleting buckets, uploading and downloading objects, setting permissions, etc.
    • Resource: Specifies the resources that the actions apply to. The * wildcard means all resources. In the context of S3, it means all buckets and all objects within those buckets.

Managed vs Inline Policies

Managed Policies:

  • Managed policies can be either AWS-managed or user-managed.
  • AWS-managed policies are created and maintained by AWS. These are a great starting point if you are not familiar with policy concepts or not comfortable creating your own.
  • User-managed policies are created and maintained by users, giving more flexibility to manage policies themselves.

Inline Policies:

  • Inline policies are directly attached to a user, group, or role.
  • These are good for specific sets of permissions which will not be used again.
  • They are not generally widely used and can be harder to maintain.

Creating an Inline Policy for a Test User

Let's create an inline policy for our test user:

  1. Navigate to IAM Users:

    • In the IAM Users section, click on the user you want to create the policy for.
    • Click the "Add permissions" drop-down button and select the "Create Inline Policy" option.


  2. Select Service:

    • On the service selection page, choose the service you want to limit or extend access to.


  3. Specify Actions:

    • Specify which actions to allow or deny. For example, to allow all reading-related actions, you might check the "Get Object" permission in the list for reading actions on an S3 bucket.


  4. Specify Resources:

    • In the Resources section, specify which resources these permissions apply to.
    • You need to use the Amazon Resource Name (ARN) to specify the resource. For instance, if you created an S3 bucket and want to provide specific access to your test user, instead of selecting "Any in this account," you will add the ARN of that bucket. This way, the test user will have access rights only to that specific bucket.




  5.  Click to "Next" and that is it we successfully defined your inline policy for test user.

Comments

Post a Comment

Popular posts from this blog

Identity Access Management - How to create user in IAM ?!

Image
Introduction IAM stands for Identity and Access Management. IAM is essential component of AWS allows you to create and manage access of user, role, application and control authentication/authorization. There are 4 essential components of IAM :  Users - are individuals or applications want to access to your AWS resources. Groups - are collection of users. By this you can assign permissions to group instead individual users. Roles - are special access type in IAM that allows user/resource to access another resource via temporary credentials. For example EC2 instance can access to DynamoDB or S3 bucket resources without using permanent credentials. This is possible only via Role which is great security point of view. Policies - are JSON documents that define permissions. In policies we define what actions are allowed or should be denied. This can be attached to users, groups, roles. Hands on IAM exercises :  Login to your AWS account and search for IAM :  After clicking IAM icon, you wil
Read more

AWS pricing fundamentals

Image
When using Amazon Web Services (AWS), there are three primary factors that determine your costs: Compute : This includes the amount of resources such as CPU and RAM you use, as well as the duration for which you use them. Data Storage : The quantity of data stored or allocated. Outbound Data Transfer : The amount of data transferred out from all services. It's important to be cautious and monitor your usage to avoid unexpected costs. AWS Pricing Models On Demand (Pay as you Go) The On Demand model allows you to: Easily adapt to changing business needs. Adjust based on your requirements. Reduce the risk of paying for unused capacity. Reserved Instance (Save When You Reserve) By investing in reserved capacity, such as with EC2 or RDS, you can: Ensure you have resources available for unexpected scenarios like web traffic spikes. Reserve resources for 1-3 years, which can lead to significant discounts. Save up to 75% compared to the Pay-as-you-Go model. The more you pay upfront, the gr
Read more

IAM - Roles

Image
IAM Roles Roles in AWS has special meaning. With this functionality you can define different variety of roles and assign it users or your application/service can use them. Roles are specifically important for AWS security. Because roles use temporary credentials with services. So that we don't need to use own permanent credentials to do some operations. If somehow hackers got access to AWS infrastructure they won't able to access our cached permanent  credentials. Here are some of advantages of using roles : Reduced Risk of Credential Exposure Least Privilege Principle Cross-Account Access  Let's create a role and assign it to the user  Click to "IAM" , "Roles" and then "Create role" button.  We need ARN (we talked about this in the previous post) of the user. Copy 12 digit unique ID. During role creation select "AWS account" since we are planning to add this role to user. Enter the ID we got from previous step. This ID defines our us
Read more