IAM definition
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization). This Amazon service is available in Free Tier Account as well as when Free Tier is expired.
Policy language
Policies are using JSON format. This is not part of our guide but here are some basic JSON rules:
- White space between individual entities is allowed.
- Values are enclosed in quotation marks. Quotation marks are optional for numeric and Boolean values.
- Many elements (for example, action_string_list and resource_string_list) can take a JSON array as a value. Arrays can take one or more values. If more than one value is included, the array is in square brackets ([ and ]) and comma-delimited, as in the following example:“Action” : [“ec2:Describe*”,”ec2:List*”]
- Basic JSON data types (Boolean, number, and string) are defined in RFC 7159.
Grammar conventions:
- The following characters are JSON tokens and are included in policies:{ } [ ] ” , :
- The following characters are special characters in the grammar and are not included in policies:= < > ( ) |
- If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (…). Examples:[, , …] = { , , … }.If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional. Examples:“Action”: []”Action”:
- A question mark (?) following an element indicates that the element is optional. Example:<version_block?>However, be sure to refer to the notes that follow the grammar listing for details about optional elements.
- A vertical line (|) between elements indicates alternatives. In the grammar, parentheses define the scope of the alternatives. Example:(“Principal” | “NotPrincipal”)
- Elements that must be literal strings are enclosed in double quotation marks (“). Example: = “Version” : (“2008-10-17” | “2012-10-17”)
Grammar template:
policy = { <version_block?> <id_block?> <statement_block> } <version_block> = "Version" : ("2008-10-17" | "2012-10-17") <id_block> = "Id" : <policy_id_string> <statement_block> = "Statement" : [ <statement>, <statement>, ... ] <statement> = { <sid_block?>, <principal_block?>, <effect_block>, <action_block>, <resource_block>, <condition_block?> } <sid_block> = "Sid" : <sid_string> <effect_block> = "Effect" : ("Allow" | "Deny") <principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>) <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("AWS" | "Federated" | "Service") : [<principal_id_string>, <principal_id_string>, ...] <action_block> = ("Action" | "NotAction") : ("*" | [<action_string>, <action_string>, ...]) <resource_block> = ("Resource" | "NotResource") : ("*" | [<resource_string>, <resource_string>, ...]) <condition_block> = "Condition" : { <condition_map> } <condition_map> { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = [<condition_value>, <condition_value>, ...] <condition_value> = ("string" | "number" | "Boolean")
Policy structure
An IAM policy is written in JSON format which has one or more statements. This statement has the following structure:
{ "Statement":[{ "Effect":"<strong>effect</strong>", "Action":"<strong>action</strong>", "Resource":"<strong>arn</strong>", "Condition":{ "<strong>condition</strong>":{ "key":"value" } } }] }
The elements that make up a statement:
- effect – can be Allow or Deny; by default IAM users don’t have permissions to use resources and API actions. An explicit allow overrides the default explicit deny
- action – this is specific API action for which you are granting or denying permissions; detailed information about specifying action, see Actions for Amazon EC2
- resource – the resource that’s affected by the action
- condition – it’s optional; fr detailed information check conditional keys for Amazon EC2
Amazon Resource Names (ARNs)
IAM policies are applies to the resources which can be specified using their ARNs.
ARN syntaxng:default decode:true”>arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
- partition – aws or aws-partitionname
- service – the service namespace that identifies the AWS product
- region – the region the resource resides in
- account – AWS account ID
- resource, resourcetype:resource, or resourcetype/resource – the content of his part of the ARN varies by service
Useful tools
- Policy Generator – this tool can be use to generate policy
- Policy Simulator – you should be logged into account and you can simulate all your policies
pan class=”term”>resourceType The type of resource (for example, instance) - resourcePath A path that identifies the resource. You can use the * wildcard in your paths.
ARN Format
General formats cor ARNs, the specific components and values used depend on the AWS service.
arn:partition:service:region:account-id:resource arn:partition:service:region:account-id:resourcetype/resource arn:partition:service:region:account-id:resourcetype:resource
- partition – aws or aws-partitionname
- service – the service namespace that identifies the AWS product
- region – the region the resource resides in
- account – AWS account ID
- resource, resourcetype:resource, or resourcetype/resource – the content of his part of the ARN varies by service