AWS IAM Policy types: identity-based and resource-based
Explore how AWS IAM policies function by understanding identity-based and resource-based policy types. Learn how these policies attach to users, groups, roles, or resources, and how they determine permissions with realistic examples.
We'll cover the following...
All IAM policies follow the structure detailed in the previous lessons, but how a policy behaves is determined by what it is attached to. We can attach policies to 5 entities, and they are named accordingly:
- Identity-based policies: Attached to an IAM user, group, or role
- Resource-based policies: Attached to AWS resources
- Service-control policies: Attached to accounts
- Session policy: Attached to assume role sessions
- Permissions boundary: Attached to identities as a boundary
Each policy type behaves differently when IAM determines access. Let’s see how they work.
Identity-based policies
One of the most important policy types, these are attached to IAM users, groups, and roles. An identity-based policy defines what the identity can or cannot do. As it is attached to a Principal, the Principal element is missing from these policies.
For example, this policy allows read access to a specific S3 object in a bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::<bucket>/text.txt"
}
]
}
These policies can also restrict what identity can do. This is done using a Deny policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::<bucket>/*"
}
]
}
The above policy forbids the user from reading objects from a specific S3 bucket. And as we’ll see in “Step 3: Run the evaluation logic” of the ...