AWS IAM Fundamentals
Be the first to know when the book is ready!
Join our mailing list to get sample chapters and know when the book is released
Sign up at the end of the article!In this chapter we will describe one of the most basic IAM policy possible. We will go line by line and describe what each line means, and the important parts you should understand to grasp the fundamentals needed.
The simplest of policies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAllActions",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::bucketwithstuff",
"arn:aws:s3:::bucketwithstuff/*"
]
}
]
}
Here we have a very simply policy describing that you can access the bucket bucketwithstuff and perform all S3 actions on it. How do we know? Let’s go line by line and unpack what each part of this JSON policy document does
Version
"Version": "2012-10-17",
This line is very similar to how a REST API can be versioned, /v1/listposts vs. /v2/listposts. It tells AWS which version of IAM you are using. As of this writing (the year 2020), "2012-10-17" is the most recent version of IAM and you should simply always use this in all your policy documents.
Statement
"Statement": [] Each IAM policy is composed of a collection (an array) of Statements. Each statement is a collection of permissions being granted or denied to whoever has this policy applied to them. You could break each statement up into individual policies and apply that collection of policies and the effect would be identical. Usually statements are grouped together so that a policy forms a complete thought of what the purpose of the policy is supposed to do.
Statement ID
"Sid": "BucketAllActions" As each policy can be composed of many statements, each individual statement must have a unique (to the policy) name attached to it. The name has no effect on the policy but, is just used internally as an identifier so it’s known which statement in a policy is being referred to in access logs, or debugging.
Effect
"Effect": "Allow" This line describes if the policy Allows or Denies the actions being described. In the vast majority of cases you will usually only use Allow as by default AWS denies access to things not explicitly stated. You probably will only use Deny in cases where exceptions to rules exist
Actions
"Action": ["s3:*"] This line tells us what actions this policy either allows or denies. The way to read s3:* is AWS Service : action. In this case the AWS service is S3 and the action is *, which means ALL available actions, including destructive operations like deleting the bucket. Normally, it’s best practice (TODO link security) to explicitly grant every permission but, we are trying to keep it simple at first.
Resources
"Resource": [] Here we can see what AWS resources the combination of Effect and Action are allowed to operate on. What is listed in the policy ( arn:aws:s3:::bucketwithstuff/* ) is a shorthand version of arn:aws:s3:us-east-1:123456789012:bucketwithstuff/*. Let’s break up each part briefly to understand what it means. If you don’t know what an ARN is, our ARN basics article is a great start.
arn:aws:s3:us-east-1:123456789012:bucketwithstuff/*
Conditions
This simple policy doesn’t have a "Condition": [] element since it’s optional but, conditions will allows you to limit the permission you just granted.