IAM – Policy

What is Policy, what are different types, any differences, and what Services are available to help create traceability for access to AWS resources.

 

What is an AWS IAM Policy?

An AWS Identity and Access Management (IAM) policy is a JSON document that defines permissions for an action or actions on AWS resources. Policies are attached to IAM identities (users, groups, and roles) to grant or restrict their access to AWS resources.

Types of AWS IAM Policies

  1. Identity-based Policies:

    • Description: These policies are attached to IAM users, groups, or roles. They define what actions those identities are allowed or denied on specific AWS resources.
    • Examples:
      • Managed Policies: AWS-managed (predefined by AWS) and Customer-managed (created by you).
      • Inline Policies: Embedded directly into a specific user, group, or role.
  2. Resource-based Policies:

    • Description: These policies are attached directly to AWS resources like S3 buckets, SNS topics, or SQS queues. They define who (which users or roles) can perform actions on the resource and under what conditions.
    • Examples:
      • S3 bucket policies
      • SNS topic policies
      • SQS queue policies
  3. Permissions Boundaries:

    • Description: These are advanced policies that define the maximum permissions that an IAM role or user can have. They act as a guardrail, ensuring that the role or user cannot exceed the defined permissions.
    • Example: Restricting a role to only be able to perform read-only actions, regardless of any additional policies attached.
  4. Service Control Policies (SCPs):

    • Description: SCPs are used in AWS Organizations to manage permissions across all accounts in an organization. SCPs define the maximum permissions for accounts within an organizational unit (OU) or the entire organization.
    • Example: Preventing any account in an organization from deleting IAM roles.
  5. Access Control Lists (ACLs):

    • Description: ACLs are resource-based policies that control access to specific resources, such as S3 buckets and objects, on a more granular level.
    • Example: Granting read or write access to a specific S3 bucket for a particular AWS account.
  6. Session Policies:

    • Description: Policies passed when a user assumes a role, limiting the permissions of the role session.
    • Example: Further restricting the actions a user can perform while using temporary credentials.

Differences Between Policy Types

  1. Scope and Application:

    • Identity-based Policies: Apply to IAM identities (users, groups, roles). Define what actions these identities can perform on AWS resources.
    • Resource-based Policies: Apply directly to resources. Define which identities can access the resource and what actions they can perform.
    • Permissions Boundaries: Apply to IAM roles and users to restrict their maximum permissions.
    • Service Control Policies (SCPs): Apply to AWS accounts within an organization to control the maximum available permissions.
    • Access Control Lists (ACLs): Apply to specific resources for fine-grained control.
    • Session Policies: Apply during temporary role sessions to further restrict permissions.
  2. Management and Use:

    • Identity-based Policies: Managed at the identity level, can be AWS-managed or customer-managed.
    • Resource-based Policies: Managed at the resource level, typically used for cross-account access.
    • Permissions Boundaries: Used for advanced permissions management, often in larger organizations.
    • Service Control Policies (SCPs): Managed within AWS Organizations, affecting multiple accounts.
    • Access Control Lists (ACLs): Used for fine-grained access control, often in S3.
    • Session Policies: Applied during role assumption, useful for temporary or delegated access.

Services for Creating Traceability for Access to AWS Resources

  1. AWS CloudTrail:

    • Description: Tracks API calls made on your account. Provides a history of AWS API calls for account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services.
    • Use: Auditing and monitoring, security analysis, and compliance.
  2. AWS Config:

    • Description: Provides a detailed view of the configuration of AWS resources in your account. Continuously monitors and records AWS resource configurations and allows automated compliance checks.
    • Use: Configuration compliance, auditing, and security analysis.
  3. AWS CloudWatch:

    • Description: Monitors your AWS resources and applications. Provides metrics, logs, and events to help you understand your AWS infrastructure’s state and performance.
    • Use: Operational monitoring, performance management, and incident detection.
  4. AWS IAM Access Analyzer:

    • Description: Helps identify resources that are shared with an external entity and checks for unintended access to your resources.
    • Use: Security and compliance auditing, identifying external access.
  5. Amazon GuardDuty:

    • Description: Provides intelligent threat detection to protect your AWS accounts and workloads. Uses machine learning to identify unusual activity.
    • Use: Continuous security monitoring and threat detection.
  6. AWS Trusted Advisor:

    • Description: Provides real-time guidance to help you provision your resources following AWS best practices.
    • Use: Cost optimization, security, fault tolerance, and performance improvement.

Summary

  • AWS IAM Policies define permissions for AWS resources and come in various types, each with specific use cases and applications.
  • Types: Identity-based policies, resource-based policies, permissions boundaries, SCPs, ACLs, and session policies.
  • Services for Traceability: AWS CloudTrail, AWS Config, AWS CloudWatch, AWS IAM Access Analyzer, Amazon GuardDuty, and AWS Trusted Advisor help monitor, audit, and secure access to AWS resources.

These tools and policies together help manage permissions effectively and ensure security and compliance in an AWS environment.