In AWS, you can either attach a policy to a group which we call as group policy or you can attach a policy directly to an IAM user which is called as inline policy. Usually, the group policy method is preferred as this allows admins to easily manage and review the user permissions. If required, multiple policies can be attached to a single user or a group.
There is a large collection of available policies in the AWS IAM console from which you can use any policy according to your requirements and these policies are called AWS Managed Policies. But often at a certain point, you may be required to define permissions to users according to your own needs for which you will have to create an IAM policy on your own.
IAM policy is a JSON (JavaScript Object Notation) document which contains Version, ID and Statement. The statement further contains SID, Effect, Principal, Action, Resource and Condition. These elements have the following roles in an IAM policy.
Version: Simply defines the version of the policy language you are using. Generally, it is static and currently its value is 2012-10-17.
Statement: It is the main body of a policy which defines which permission is allowed or denied to which user for which resource. A policy may include more than one statement.
Effect: It can have a value Allow or Deny to tell either you want to give this access to a user or want to block the access.
Principal: It indicates the users or roles to which the specific policy is going to apply. It is not required in every case.
Action: Here we describe what we are going to allow or deny to the user. These actions are pre-defined by AWS for each service.
Resource: This defines the AWS service or resource over which the action is going to apply. It is required in some cases or can be optional sometimes.
Condition: This is also an optional element. It simply defines certain conditions under which the policy is going to act.
Types of Policies
There are different types of policies we can create in AWS. There is no difference in method of creation for all of them but they differ in terms of use cases. These types are explained in the following section.
Identity Based Policies
Identity based policies are used to govern permissions for IAM users in AWS accounts. They can be further classified as managed policies which can either be AWS managed which are readily available for you to use without any changes, or you can create customer managed policies to give precise control to a specific user over a specific resource. Other types of identity-based policies are inline policies which we attach directly to a single user or a role.
Resource Based Policies
These are applied where you need to give permission for a specific AWS service or resource for example if you want to give write access to a user for S3 bucket. These are a type of inline policies.
Permissions Boundaries
Permissions boundaries set the maximum level of permissions a user or group that they can get. They override the identity-based policies so if a particular access is denied by a permission boundary, then granting that permission through identity-based policy will not work.
Organizations Service Control Policies (SCPs)
AWS organizations are a special type of service used to manage all accounts and permissions in your organization. They provide central control to give permissions to all the user accounts in your organization.
Access Control Lists (ACLs)
These are specific types of policies which are used to allow access to your AWS services to another AWS account. You cannot use them to give permissions to a principle from the same account, the principle or user definitely needs to from another AWS account.
Session Policies
These are used to give temporary permissions to users for a limited amount of time. For this you need to create a session role and pass a session policy to it. The policies are usually inline or resource-based policies.
Methods for Creating IAM Policies
To create an IAM policy in AWS you can choose from one of the following methods:
- Using AWS Management Console
- Using CLI (Command Line Interface)
- Using AWS Policy Generator
In the following section we are going to explain each method in detail.
Creating IAM Policy Using AWS Management Console
Sign in to your AWS account and in the top search bar type IAM.
Select the IAM option down the search menu, this will take you to your IAM dashboard.
From the left side menu, select policies to create or manage policies in your AWS account. Here, you can look for AWS managed policies or just click on Create Policy in the top right corner to create a new policy.
Here in create policy, you get two options; either you can create your policy using visual editor or write a JSON defining the IAM policy. To create a policy using Visual editor, you need to select the AWS service for which you want to create a policy, then select the actions you want to allow or deny. After that you select the resource over which this policy is going to be applied and at last you can add a conditional statement under which this policy is valid or not. Here, you also need to add the effect i.e., either you want to allow or deny these permissions. This is an easy way to create a policy.
If you are friendly with writing scripts and JSON statements, then you can choose to write it yourself in proper JSON format. For this, just select JSON on the top and you can simply write the policy, but it needs a bit more practice and expertise.
Creating IAM Policy Using Command Line Interface (CLI)
If you want to create an IAM policy using AWS CLI, as most professionals prefer using CLI over management console, you just simply need to run the following command in your AWS CLI.
The output of this would be as follows:
You can also create the JSON file first and then just run the following command to create a policy.
So, this way you can create IAM policies using the command line interface.
Creating IAM Policy Using AWS Policy Generator
This is a simple method of creating an IAM policy. It is similar to a visual editor where you do not need to write the policy yourself. You just need to define your requirements and you will get your IAM policy generated.
Open your browser and search for AWS Policy Generator.
First, you need to select the policy type, and in the next section you need to provide the JSON statement elements which include effect, principle, AWS service, actions and resource ARN and optionally, you can also add the conditional statements. After you have done all these, just click on the add statement button to generate the policy.
Once you have added the statement, it will start appearing in the below section. In order to create your policy now click on generate policy and you will get your policy in JSON format.
Now, you need to simply copy this policy and attach to the place where you want.
So, you have successfully created an IAM policy using AWS policy generator.
Conclusion
IAM policies are one of the most important parts of an AWS cloud structure. These are used to govern the permissions to all users in the account. They define whether a member can access a certain resource and service or not. The policies are generated globally so you don’t have to define your region. One should never take these policies for granted and as they are the core elements in security and privacy.