-
Notifications
You must be signed in to change notification settings - Fork 0
Policies and Permissions
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM user, you can choose to allow console or programmatic access.
Identity-Based Policies: They grant permissions to IAM identities like users, groups to which users belong, or roles.
Resource-Based Policies: The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to a principal entity that is specified in the policy.
Permissions boundaries: This policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.
Organizations SCPs: They define the maximum permissions for account members of an organization or organizational unit (OU).
Access control lists(ACLs): Use ACL's to control which principals in other accounts can access the resource to which the ACL is attached. They are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.
Session Policies: Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.
The AWS account root user is affected by some policy types but not others. You cannot attach identity-based policies to the root user, and you cannot set the permissions boundary for the root user. However, you can specify the root user as the principal in a resource-based policy or an ACL. As a member of an account, the root user is affected by any SCPs for the account.
Most policies are stored in AWS as JSON documents. Identity-based policies and policies used to set permissions boundaries are JSON policy documents that you attach to a user or role. Resource-based policies are JSON policy documents that you attach to a resource.
As illustrated in the following figure, a JSON policy document includes these elements:
Optional policywide information at the top of the document
One or more individual statements
Each statement includes information about a single permission. If a policy includes multiple statements, AWS applies a logical OR across the statements when evaluating them. If multiple policies apply to a request, AWS applies a logical OR across all of those policies when evaluating them.
If you want to define more than one permission for an entity (user, group, or role), you can use multiple statements in a single policy. You can also attach multiple policies. If you try to define multiple permissions in a single statement, your policy might not grant the access that you expect. As a best practice, break up policies by resource type.
You can use groups to control permissions to access your resources in AWS by assigning an IAM role for the users within a group. When you create a group, you can specify the IAM role for users in that group by providing a role ARN for the group. IAM roles have associated policies that define the resources and actions that are allowed and denied for users. IAM roles and their permissions are tied to the temporary AWS credentials that Amazon Cognito identity pools provide for authenticated users. Users in a group are automatically assigned the IAM role for the group when AWS credentials are provided by Amazon Cognito Federated Identities using the Choose role from token option.
Individual users can be in multiple groups. As a developer, you have the following options for automatically choosing the IAM role when a user is in multiple groups:
-
You can assign precedence values to each group. The group with the better (lower) precedence will be chosen and its associated IAM role will be applied.
-
Your app can also choose from among the available roles when requesting AWS credentials for a user through an identity pool, by specifying a role ARN in the GetCredentialsForIdentity CustomRoleARN parameter. The specified IAM role must match a role that is available to the user.
Recommended Readings For More Information :
Policies and Permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html