Identity Policies in AWS

What are AWS IAM Permissions and Policies?

Permissions in AWS IAM define what actions an identity (user, group, or role) can perform on AWS resources. These permissions are granted through policies, which are attached to identities. Policies are objects that define permissions and can be attached to identities.

Why Are Permissions Important?

• Ensure Specific Access Levels: Users, groups, and roles can have complex and specific levels of access to AWS resources.
• Maintain Security and Compliance: Prevent unauthorized actions and manage security and compliance effectively.

Types of IAM Policies

1. Managed Policies: Pre-built policies created and maintained by AWS or your organization. These can be attached to users, groups, or roles.

2. Inline Policies: Custom policies directly attached to a specific identity (user, group, or role).

Adding Simple Identity Permissions in AWS IAM

Permissions for IAM Users

1. Navigate to IAM Users

2. Open the AWS Management Console.

3. Go to IAM or search for IAM in the search bar.

4. Select Users, User Groups, or Roles from the sidebar.

   

5. Select the Identity

6. Click on the user/user group/role to which you want to add permissions.

   

7. Attach Policies

8. Go to the Permissions tab and click Add permissions.

   

   

9. Choose Attach policies directly to assign managed or inline policies.

   

10. Find the appropriate policy using the search bar and select it.

    

Common AWS Managed Policies

1. AdministratorAccess

2. Full Access to All Services: Perform any action on any AWS service.

3. Full Control Over All Resources: Create, modify, delete, and configure any AWS resource.

4. No Restrictions: No limitations or conditions imposed.

   

5. ReadOnlyAccess

6. Read-Only Access: Provides read-only access to all AWS services.

7. Use Case: Ideal for users who need to view resources across all AWS services.

   

(The policy search bar works by finding all results with that text, so other more specific policies may pop up first).

1. IAMFullAccess

• Purpose: Grants full access to IAM.
• Permissions: Manage IAM users, groups, roles, and policies.

• Use Case: Best for administrators managing IAM aspects.

• IAMUserChangePassword

• Purpose: Allows users to change their own IAM password.
• Permissions: Allows actions like iam:ChangePassword.
• Use Case: Attach to users who need to manage their own password.

Custom Inline Policies

If you need fine-grained control and a high degree of specificity, create inline policies. Useful for roles with unique requirements not covered by managed policies.

Steps to Create a Custom Inline Policy

1. Navigate to the Permissions Tab

2. For the user, group, or role, go to the Permissions tab.

3. Click Add inline policy.

4. Use the Policy Editor

5. Visual Editor: Define permissions by selecting actions, resources, and conditions through a guided interface.

6. JSON Editor: Write the policy directly for more flexibility.

   Full Administrator Permissions JSON:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": "*",
         "Resource": "*"
       }
     ]
   }
   

   IAMFullAccess JSON:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "iam:*",
           "organizations:DescribeAccount",
           "organizations:DescribeOrganization",
           "organizations:DescribeOrganizationalUnit",
           "organizations:DescribePolicy",
           "organizations:ListChildren",
           "organizations:ListParents",
           "organizations:ListPoliciesForTarget",
           "organizations:ListRoots",
           "organizations:ListPolicies",
           "organizations:ListTargetsForPolicy"
         ],
         "Resource": "*"
       }
     ]
   }
   

7. Review and Name Your Policy

8. Click Review policy.

9. Give your policy a meaningful name.
10. Click Create policy to apply it.

Next >> IAM Policy Simulator