Common Components of All IAM Policies
-
Version:
- Description: Specifies the version of the policy language.
-
Statement:
- Description: A list of individual statements that define the permissions.
-
Effect:
- Description: Specifies whether the statement allows or denies access. Values are “Allow” or “Deny”.
-
Action:
- Description: Lists the specific actions that are allowed or denied by this statement, specified using AWS service namespace followed by the action name.
-
Resource:
- Description: Specifies the AWS resources to which the actions apply, using Amazon Resource Names (ARNs).
-
Condition (Optional):
- Description: Specifies conditions under which the statement is in effect, such as date and time, IP address, or user attributes.
Components Specific to Certain Types of Policies
-
Principal (Resource-based Policies, Assume Role Policies):
- Description: Specifies the user, account, service, or other entity that is allowed or denied access to a resource.
-
Sid (Statement ID):
- Description: Optional identifier for the statement, useful for managing and referencing specific statements within a policy.
Summary
- Version: Policy language version.
- Statement: List of permissions.
- Effect: Allow or deny access.
- Action: Specific actions allowed or denied.
- Resource: AWS resources to which actions apply.
- Condition: Optional conditions for statement effect.
- Principal: Specifies entities allowed or denied access (specific to resource-based and assume role policies).
- Sid: Optional statement identifier.