IAM – Policies Components

Common Components of All IAM Policies

  1. Version:

    • Description: Specifies the version of the policy language.
  2. Statement:

    • Description: A list of individual statements that define the permissions.
  3. Effect:

    • Description: Specifies whether the statement allows or denies access. Values are “Allow” or “Deny”.
  4. Action:

    • Description: Lists the specific actions that are allowed or denied by this statement, specified using AWS service namespace followed by the action name.
  5. Resource:

    • Description: Specifies the AWS resources to which the actions apply, using Amazon Resource Names (ARNs).
  6. Condition (Optional):

    • Description: Specifies conditions under which the statement is in effect, such as date and time, IP address, or user attributes.

Components Specific to Certain Types of Policies

  1. Principal (Resource-based Policies, Assume Role Policies):

    • Description: Specifies the user, account, service, or other entity that is allowed or denied access to a resource.
  2. Sid (Statement ID):

    • Description: Optional identifier for the statement, useful for managing and referencing specific statements within a policy.

Summary

  • Version: Policy language version.
  • Statement: List of permissions.
  • Effect: Allow or deny access.
  • Action: Specific actions allowed or denied.
  • Resource: AWS resources to which actions apply.
  • Condition: Optional conditions for statement effect.
  • Principal: Specifies entities allowed or denied access (specific to resource-based and assume role policies).
  • Sid: Optional statement identifier.