Filters: Principal, Resource, and Action

An IAM policy is a JSON document with a strictly defined structure. It contains one or more statements that are the basic building blocks of access control. The policy itself is a container for these statements. An example policy JSON looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "<bucket>/text.txt"
        }
    ]
}

It does not matter if we have the statements in a single policy or multiple ones as long as they are attached to the entity. Because of this, he course will use the terms policy and statement interchangeably.

Each statement can contain an Effect, an Action, a Principal, a Resource, and a Condition. Depending on what entity the policy is attached to, a different set of parameters are allowed. For example, a policy attached to an IAM user does not support the Principal element because that is implied by the association.

The Effect is either Allow or Deny. This defines if this statement grants access or denies access. We’ll see how these work in the Step 3: Run the evaluation logic session of the Evaluation flow lesson.

All the other elements are filters which limit what requests the policy applies to.

Note: The policy format is in JSON and it does not support trailing commas. Not removing commas after the last element is a common source of errors.

{
   "Action": [
       "s3:PutObject",
       "s3:GetObject", // <= this is invalid
   ],
   // ...
}

Let’s test your knowledge of what you have studied in this lesson so far!