What are permissions and policies in IAM ?

What are permissions and policies in IAM ?
  • The access management portion of AWS Identity and Access Management (IAM helps you to define what a user or other entity is allowed to do in an account, often referred to as authorization.

  • Permissions are granted through policies that are created and then attached to users, groups, or roles.

Policies and Users

  • By default, IAM users can't access anything in their accounts.

  • You grant permission to a user by creating a policy, which is a document that defines the effect, actions, resources, and optional conditions.

  • Any actions or resources that are not explicitly allowed are denied by default.

IAM Multiple Policies

  • Users or Groups can have multiple policies attached to them that grant different permission

  • In case of multiple policies attached to a user (or a group)

  • The user's permissions are calculated based on the combination of policies

Federated Users and Roles

  • Federated user doesn't have permanent identities in their AWS account the way that IAM users do.

  • To assign permissions to federated users you can create an entity referred to as a 'role' and define permission for the role.

  • When a federated User Sign-in to AWS the user is associated with the role and is granted the permission that is defined in the role.

Resource-based policies

  • In some cases (like the s3 bucket), you can attach a policy to a resource in addition to attaching it to a group or user. This is called a Resource Based policy.

  • A resource-based policy contains slightly different information than a user-based policy. In a resource-based policy, you specify what actions are permitted and what resource is affected.

  • You also explicitly list who is allowed access to the resource (a principal)

  • Resource-based policies include a principal element that specifies who is granted the permission

Did you find this article valuable?

Support DevOps and Cloud Computing by becoming a sponsor. Any amount is appreciated!