What are the basic IAM terms in AWS? (Part-2)

What are the basic IAM terms in AWS? (Part-2)

The other 3 terms are as follows:-

4. Authorization:-

To authorize the request, IAM users value from the request context to check matching policies and determine whether to allow or deny the request

  • IAM policies are stored in IAM as JSON documents and specify the permissions that are allowed or denied.

  • User (identity) based policies specify permission allowed/denied for principals.

  • Resource-based policies specify the permission allowed/denied for resources popular for granting cross-account permissions.

  • IAM checks each policy that matches the context of your request.

  • If a single policy includes a denied action, IAM denies the entire request and stops evaluating this is called Explicit Deny.

    The evaluation logic follows below rules:-

  • By default, all requests are denied.

  • An explicit allow overrides this default.

An explicit denial overrides any allows.

5. Actions:-

Actions are defined by a service and are the things that you can do to a resource, such as viewing, creating, editing, and deleting that Resource.

  • IAM supports approx 40 actions for a user resource including creating a user, deleting a user, etc.

  • Any actions or resources that are not explicitly allowed are denied by default.

  • After your request has been authenticated and authorized, AWS approves the actions in your request.

6. Resource:-

  • A resource is an entity that exists within a service e.g. EC2 instances, S3 bucket, IAM users, or Dynamo DB table.

  • Each AWS service defines a set of actions that can be performed on each resource.

  • After AWS approves the actions in your request, those actions can be performed on the related resource within your account.

  • If you create a request to perform an unrelated action on a resource, that request is denied.

  • When you provide permissions using an identity-based policy in IAM, then you provide permissions to access resources only within the same account.

Few more points about IAM policies:-

You can create a new IAM policy in the AWS management console using one of the following ways:-

  • JSON:- You can create your own JSON syntax for creating the IAM policies.

  • Visual Editor:- You can construct a new policy from scratch in the Visual Editor. If you use the Visual Editor, you don't need to understand JSON syntax.

  • Import:- You can import a managed policy within your account and then edit the policy to customize it to your specific requirement.

Did you find this article valuable?

Support DevOps and Cloud Computing by becoming a sponsor. Any amount is appreciated!