IAM Policy
💡 Definition
An IAM Policy is a document (typically in JSON format) that defines permissions. Policies are attached to IAM identities (Users, Groups, Roles) or resources to determine what actions are allowed or denied.
🔑 Key Concepts
- JSON Format: Structure includes
Version,Statement,Effect(Allow/Deny),Action(e.g.,s3:ListBucket), andResource(ARN). - Managed Policies: Pre-built policies created by AWS (e.g.,
AdministratorAccess,AmazonS3ReadOnlyAccess). - Customer Managed Policies: Policies you create and manage yourself.
- Inline Policies: Embedded directly into a single user, group, or role (not recommended for reuse).
⚙️ How it Works
When a user tries to perform an action, AWS evaluates all attached policies. 1. Default Deny: Everything is denied by default. 2. Explicit Allow: An "Allow" statement grants permission. 3. Explicit Deny: A "Deny" statement overrides any "Allow".
🎯 Use Cases
- Granting Access: Allowing a developer to launch EC2 instances.
- Restricting Access: Denying access to production databases for interns.
- Enforcing Best Practices: Implementing the Principle of Least Privilege.
💰 Pricing Model
- Free feature of IAM.
📝 Exam Tips (CLF-C02)
- Policies are written in JSON.
- Explicit Deny always wins over Allow.
- Best practice: Use Managed Policies or Customer Managed Policies instead of Inline Policies.
See Also: * IAM * Principle of Least Privilege * IAM User