top of page
  • Writer's picturevP
    • Nov 10, 2023
    • 5 min read

Crafting IAM Policies - Day 10

Welcome back to Day 10 of our #100DaysOfAWS series! Today, we're diving into a pivotal aspect of AWS security - crafting IAM policies. It's like setting up the rules of the road for your AWS resources.


In the previous blogs, we've explored AWS Identity and Access Management (IAM), learned how to create users, and mastered user and group management. Now, it's time to take the reins and control what these users and groups can and cannot do within your AWS environment. That's where IAM policies come into play.


What Are IAM Policies?

Imagine IAM policies as a set of rules or permissions that specify what actions are allowed or denied for users, groups, or roles within your AWS account. These policies define who can do what in your AWS resources, and they are a crucial element of your AWS security strategy.


Getting Started with IAM Policies

Before we dive into crafting IAM policies, there are a few fundamental concepts to grasp:

1. JSON Language: IAM policies are written in JSON (JavaScript Object Notation). Don't be intimidated by the term—it's simply a format for structuring data, making it easy for computers to read and understand.


2. Policy Structure: IAM policies consist of a few key components:

  • Version: Defines the version of the policy language. Always use the latest version.

  • Statement: The core of the policy, containing one or more permissions.

  • Sid: This is an optional element that allows us to define a statement ID.

  • Effect: Determines whether the statement allows or denies access (values are "Allow" or "Deny").

  • Action: Specifies the AWS service actions that are allowed or denied.

  • Resource: Defines the AWS resources (like S3 buckets, EC2 instances, etc.) to which the policy applies.

  • Principal: Defines the identities that are allowed or denied access to resource-based policies. 

  • Condition: Defines some conditions under which the policy applies. This element is practical when we need to achieve custom rules for fine-grained access. 

3. Policy Attachments: Policies can be attached to IAM users, groups, or roles. This is how you control who gets access to what resources.


Creating Custom IAM Policies

You can create a customer managed policy in the AWS Management Console using one of the following methods:

  • JSON — Paste and customize a published example identity-based policy.

  • Visual editor — Construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.

  • Import — Import and customize a managed policy from within your account. You can import an AWS managed policy or a customer managed policy that you previously created.


In this blog, we will discuss about creating policies using Visual editor.

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane on the left, choose Policies.

3. Choose Create policy.



4. In the Policy editor section, find the Select a service section, and then choose an AWS service. You can use the search box at the top to limit the results in the list of services. You can choose only one service within a visual editor permission block. To grant access to more than one service, add multiple permission blocks by choosing Add more permissions.


5. In Actions allowed, choose the actions to add to the policy. You can choose actions in the following ways:

  • Select the check box for all actions.

  • Choose add actions to type the name of a specific action. You can use wildcards (*) to specify multiple actions.

  • Select one of the Access level groups to choose all actions for the access level (for example, Read, Write, or List).

  • Expand each of the Access level groups to choose individual actions.


6. For Resources, if the service and actions that you selected in the previous steps do not support choosing specific resources, all resources are allowed and you cannot edit this section.

If you chose one or more actions that support resource-level permissions, then the visual editor lists those resources. You can then expand Resources to specify resources for your policy.

You can specify resources in the following ways:

  • Choose Add ARNs to specify resources by their Amazon Resource Names (ARN). You can use the visual ARN editor or list ARNs manually. For more information about ARN syntax, see Amazon Resource Name (ARN) in the AWS General Reference Guide. For information about using ARNs in the Resource element of a policy, see IAM JSON policy elements: Resource.

  • Choose Any in this account next to a resource to grant permissions to any resources of that type.

  • Choose All to choose all resources for the service.


7. (Optional) Choose Request conditions - optional to add conditions to the policy that you are creating. Conditions limit a JSON policy statement's effect. For example, you can specify that a user is allowed to perform the actions on the resources only when that user's request happens within a certain time range. You can also use commonly used conditions to limit whether a user must be authenticated using a multi-factor authentication (MFA) device. Or you can require that the request originate from within a certain range of IP addresses.

You can choose conditions in the following ways:

  • Use check boxes to select commonly used conditions.

  • Choose Add another condition to specify other conditions. Choose the condition's Condition Key, Qualifier, and Operator, and then type a Value. To add more than one value, choose Add. You can consider the values as being connected by a logical "OR" operator. When you are finished, choose Add condition.

To add more than one condition, choose Add another condition again. Repeat as needed. Each condition applies only to this one visual editor permission block. All the conditions must be true for the permission block to be considered a match. In other words, consider the conditions to be connected by a logical "AND" operator.


8. To add more permission blocks, choose Add more permissions. For each block, repeat steps 2 through 5.


9. When you are finished adding permissions to the policy, choose Next.

  1. On the Review and create page, type a Policy Name and a Description (optional) for the policy that you are creating. Review the Permissions defined in this policy to make sure that you have granted the intended permissions.

  2. (Optional) Add metadata to the policy by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources.

  3. Choose Create policy to save your new policy.


After you create a policy, you can attach it to your groups, users, or roles.


Best Practices for IAM Policies

When crafting IAM policies, there are several best practices to keep in mind:

  • Follow the principle of least privilege: Users and groups should only have the permissions they require to perform their tasks.

  • Regularly review and update policies: As your organization's needs evolve, so should your policies. Periodically revisit and revise them to ensure they stay in sync with your security requirements.

  • Use AWS managed policies: AWS offers a range of pre-built managed policies for common use cases. These can save you time and ensure best practices.

IAM policies are your key to securing your AWS resources effectively. By carefully crafting policies that align with the principle of least privilege and staying up-to-date with best practices, you'll be well on your way to fortifying your AWS security.


As you continue your #100DaysOfAWS journey, consider exploring more advanced policy scenarios and diving into AWS security best practices. Until next time, keep crafting those ironclad IAM policies!


Thank you for reading!


*** Explore | Share | Grow ***

7 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page