Amazon Web Services Bootcamp
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Policies

A Policy is a JSON document that contains a list of permissions to allow or deny access to AWS resources. A single policy can be attached to one or more IAM user, group, and role. AWS IAM Policies provides the following two types of policies:

  • AWS Managed Policies: These policies are governed by AWS. These policies are created for common use cases so that IT administrators can directly use these policies instead of creating new ones.
  • Customer Managed Policies: These policies are custom made under your AWS account. The customer can define specific resource-based permissions and can modify them as and when needed.

The following is the sample customer-managed policy document:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:*" 
            ], 
            "Resource": "arn:aws:s3:::awsbootcamp-bucket" 
        } 
    ] 
}

The preceding policy allows all (s3:*) actions on s3 bucket (awsbootcamp-bucket). Effect can take either an Allow or Deny value. Action may contain multiple AWS resource actions and resource can also take multiple Amazon Resource Name (ARN) values as an array.

ARN allows us to uniquely identify the AWS resources. For more information on ARN, visit https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html.

We can also provide resource-based permissions to some of the AWS resources such as AWS S3 Bucket, AWS SQS, AWS SNS, and AWS Glacier vault. The following is a sample of the resource-based policy:

{ 
   "Version": "2012-10-17", 
   "Statement": [{ 
      "Principal": { 
         "AWS": [ 
            "arn:aws:iam::AWS-ACCOUNT-ID:root" 
         ] 
      }, 
      "Effect": "Allow", 
      "Action": [ 
         "s3:*" 
      ], 
      "Resource": "arn:aws:s3:::awsbootcamp-bucket" 
   }] 
}

The preceding policy contains an additional field, Principal, which might contain the AWS User Account ID, AWS User, or AWS Service for which permissions will be granted.

We can also have multiple policy statements defined in a single policy document. Let's see how to add multiple policy statements:

{ 
 "Version": "2012-10-17", 
   "Statement": [{ 
      "Effect": "Allow", 
      "Action": [ 
         "s3:*" 
      ], 
      "Resource": "arn:aws:s3:::awsbootcamp-bucket" 
   }, { 
      "Effect": "Allow", 
      "Action": [ 
         "s3:*" 
      ], 
      "Resource": "arn:aws:s3:::awsbootcamp-bucket-2" 
   }] 
}

Let's look at different ways to create AWS IAM Policies.

上一章目录下一章