Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed IAM users and also create our 1st IAM user.
In this blog post, we are going to discuss IAM Policies. We will also create our 1st IAM Policy and attach it to the user created in the previous blog post.
You can manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.
- Identity-based policies: Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
- Resource-based policies: Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to a principal entity that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
- Permissions boundaries: Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
- Organizations SCPs: Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
- Access control lists (ACLs): Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.
- Session policies: Pass an advanced session policy when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user’s identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions. For more information, see Session Policies.
Next, we are going to create a policy called EC2AdminPolicy and attach it to the user debjeet to grant him full access to EC2 service.
Step 1: Login to AWS console and navigate to ‘IAM’.
Step 2: Navigate to ‘Policies’ and click ‘Create policy’.
Step 3: Select service, actions, and resources, Click ‘Review policy’
Note: We are providing full access to EC2 service using this policy.
Step 4: Provide name and description to the policy and click ‘Create policy’.
Our IAM policy successfully created.
Next, we are going to attach this policy to the IAM user debjeet.
Step 5: Select the policy and from ‘Policy actions’ click ‘Attach’.
Step 6: Select the IAM user created in last blog post and click ‘Attach policy’.
You can check the access to EC2 service of the IAM user by login into the AWS console.
Login to AWS console using IAM user credential
Hope you have enjoyed this article. In this blog post, we have directly attached the policy to the user which is not the recommended way of managing IAM user access. Instead, we should have created a group with this policy and then include the user to that group. In the next blog post, we will create a group with this policy and include the user to that group.
To get more details on IAM, please refer below AWS documentation