IAM Policy Components

Overview

An IAM policy in AWS is a JSON document that defines permissions by specifying what actions are allowed or denied on which resources and under what conditions. Below, we’ll walk through the core elements of an IAM policy and provide practical examples to help you understand its structure.

Components of an IAM Policy

  1. Version

  2. Statement

  3. Effect

  4. Action

  5. Resource

  6. Condition (Optional)

1. Version

  • This indicates the policy language version. Always use the latest version, "2012-10-17".

  • Example:

    "Version": "2012-10-17"

2. Statement

  • The Statement element contains the main building blocks of the policy.

  • A policy can have multiple statements, each specifying a different set of permissions.

  • Example:

    "Statement": [
  {
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-example-bucket/*"
  }
]

3. Effect

  • Effect defines whether the policy allows or denies access.

  • Possible values: "Allow" or "Deny". If a request matches both "Allow" and "Deny", the deny takes precedence.

  • Example:

    "Effect": "Allow"

4. Action

  • Action specifies the AWS service actions (API calls) allowed or denied.

  • Actions are defined in the format service:operation, such as s3:GetObject or ec2:StartInstances.

  • You can use wildcards (*) to allow multiple actions at once, like s3:* to permit all S3 actions.

  • Example:

    "Action": [
  "s3:GetObject",
  "s3:ListBucket"
]

5. Resource

  • Resource specifies the ARN (Amazon Resource Name) of the resources the policy applies to.

  • You can specify individual resources or use wildcards (*) to apply the action to multiple resources.

  • Some actions, like s3:ListBucket, apply to buckets, while others, like s3:GetObject, apply to objects.

  • Example:

    "Resource": "arn:aws:s3:::my-example-bucket/*"

ARN Format:

arn:aws:<service>:<region>:<account-id>:<resource-type>/<resource-id>

6. Condition (Optional)

  • Condition allows you to specify when the policy is effective based on conditions like IP address, time, or MFA authentication.

  • Each condition uses condition operators (like StringEquals or IpAddress) and keys specific to the service or context.

  • Example: Allow access only from a specific IP address.

    jsonCopy code"Condition": {
  "IpAddress": {
    "aws:SourceIp": "203.0.113.25"
  }
}

Full Example: Read-Only Access to an S3 Bucket

Here’s a complete IAM policy that grants read-only access to a specific S3 bucket and its contents.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-example-bucket",
        "arn:aws:s3:::my-example-bucket/*"
      ]
    }
  ]
}

Explanation:

  • Effect: Allow

  • Action: Grants the ability to list the bucket and read its contents.

  • Resource: Applies to the my-example-bucket and all objects within it.

Example: Policy with Conditions for MFA Requirement

This policy allows users to delete objects in an S3 bucket only if they have authenticated with MFA.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my-example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

Explanation:

  • Effect: Allow

  • Action: Grants permission to delete objects.

  • Condition: Ensures the user has MFA enabled before the delete action is allowed.

Example: Deny Policy with IP Address Restriction

This policy denies access to all S3 actions if the request originates from any IP address outside the allowed range.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-example-bucket/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Explanation:

  • Effect: Deny

  • Action: Denies all S3 operations if the IP is not within the range 203.0.113.0/24.

  • Condition: Uses the NotIpAddress operator to restrict access.

Summary of Policy Elements

Element

Description

Example

Version

Specifies the policy language version

"2012-10-17"

Statement

Contains the permissions to be evaluated

Multiple statements supported

Effect

Whether the action is allowed or denied

"Allow" or "Deny"

Action

The specific AWS API operations allowed or denied

"s3:GetObject"

Resource

The AWS resources to which the policy applies

"arn:aws:s3:::bucket-name"

Condition

Optional constraints based on context or attributes

IP address restrictions, MFA requirement

How Policies are Used in AWS

  1. User Policies: Attach to an IAM user to define individual permissions.

  2. Group Policies: Attach to an IAM group to manage permissions for multiple users.

  3. Role Policies: Attach to an IAM role to define what actions a role can perform.

  4. Resource Policies: Attach directly to resources like S3 buckets or Lambda functions to control access.

PreviousIAM FundamentalsNextIAM Documentation References

Last updated