What are IAM Policy Elements and creating a policy?

Identity and Access Management • IAM Policy Elements

What are IAM Policy Elements and creating a policy?

Table of contents

After an Introduction to IAM, I want to discuss IAM terms. There are six main elements on which this IAM is based and they are -

  1. Principal: A principal is a person or application that can request an action or operation on AWS resources.

    ➡ Your administrative IAM user is your first principal.
    ➡ You can allow services and users to assume a Role
    ➡ IAM users, roles, federated Users and applications are all AWS principals.
    ➡ You can support federated users or programmatic access to allow an application to access your resources.

  2. Requests: When a principal tries to use the AWS Management Console, the AWS API or the AWS CLI, that principal sends a request to AWS the request includes the following information -

    Actions - The principal wants to perform. Resources upon which actions are performed. Principal information including the environment from which the request was made. Example: Creating/Deleting EC2 Instance
    Resources - Before AWS can evaluate and authorize a request AWS gathers the request information. Example: EC2
    Principal - Principal (the requester) is determined based on the authorization data. This includes the aggregate permission that the associated with the principal. Example: The user who is creating an Instance
    Environment Data - This includes data such as Information on EC2 such as IP Address, VPC name etc.
    Resource Data - Resource-related data such as Region in which EC2 is created, and S3 connected with EC2 instances.

  3. Authentication: A principal sending a request must be authenticated (signed to AWS) to send a request to AWS.

    Some AWS Services, like AWS S3, allow requests from anonymous users, they are exceptions to using the Role. To authenticate from the console as a root user or IAM user you must sign in with your email/username and Password provided by your administrator. To authenticate with CLI you must provide Access ID and Secret Key.

    You might also be required to provide additional security information like MFA (for example - Google Authenticator)

  4. Authorization: To authorize a request, IAM uses the value from the request context to check for matching policies and determine whether to allow or deny the requests.

    IAM policies are stored in form of JSON documents and specify the permissions that are allowed or denied. There are two types of policy:
    i] User (Identity) based policy: Specify permission allowed/denied for principals. User-based policy is limited to your account.

    Note: By default, only the AWS root user has access to all the resources in that account.

    ii] Resource-based Policy: Specify permission allowed/denied for resources. Popular for granting cross-account permission.

    IAM checks each policy that matches the context of your request. If a single policy includes a denied action, IAM denies the entire request and stops evaluating. This is called Explicit Deny.

    The evaluation logic follows the rule:

    ➡ By default, all requests are denied.

    ➡ An Explicit allow overrides the default permission i.e., Implicit deny.
    ➡ An Explicit deny overrides any allows.

    For example, if there is some policy with three Implicit deny and one Explicit allow then the entire policy will be considered as Explicit allow. But if there are three Explicit allow and one Explicit deny then it will be considered as Explicit deny.

  5. Action/operations: Actions are defined by a service and are the things that you can do to a resource such as viewing, creating, editing and deleting that resource.

    ➡ IAM supports approx 40 actions for a user resource including creating a user, deleting a user etc.

    ➡ Any action or resource that is not explicitly allowed is denied by default.
    ➡ After your request has been authenticated and authorized, AWS approves the actions for your requests.

  6. Resources: A resource is an entity that exists within a service. Examples are Different Servers in EC2 instances, Buckets in S3 buckets, IAM Users, Tables in DynamoDB etc.

    Each AWS service defines a set of actions that can be performed on each resource such as creating an instance in EC2 is action.

    After AWS approves the action for your requests those actions can be performed on the related resources within your account.
    If you create a request to perform an unrelated action on resources that request is denied.

    When you provide permission using an identity-based policy in IAM, then you provide permission to access resources only within your account.

Creating A New Policy

You can create a new IAM policy in the AWS management console using one of the following ways -

  1. JSON: You can create your policy by writing your own JSON script.

  2. Visual Editor: You can construct a new policy from scratch in the visual editor. If you use the visual editor you don't have to understand JSON syntax.

  3. Import: You can import a managed policy within your account and then edit the policy to customize it to your specific requirement.

This was the basic fundamental high-level overview of IAM policy elements.

Did you find this article valuable?

Support Xander Billa by becoming a sponsor. Any amount is appreciated!