Filters: Principal, Resource, and Action
Explore the role of Principal, Resource, and Action filters within AWS IAM policies. Understand how these elements work as match conditions to determine access permissions, and learn to write precise JSON policies to control access in AWS environments.
We'll cover the following...
An IAM policy is a JSON document with a strictly defined structure. It contains one or more statements that are the basic building blocks of access control. The policy itself is a container for these statements. An example policy JSON looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "<bucket>/text.txt"
}
]
}
It does not matter if we have the statements in a single policy or multiple ones as long as they are attached to the entity. Because of this, he course will use the terms policy and statement interchangeably.
Each statement can contain an Effect, an Action, a Principal, a Resource, and a Condition. Depending on what entity the policy is attached to, a different set of parameters are allowed. For example, a policy attached to an IAM user does not support the Principal element because that is implied by the association.
The Effect is either Allow or Deny. This defines if this statement grants access or denies access. We’ll see how these work in the Step 3: Run the evaluation logic session of the Evaluation flow lesson.
All the other elements are filters which limit what requests the policy applies to.
...Note: The policy format is in JSON and it does not support trailing commas. Not removing commas after the last element is a common source of errors.
{ "Action": [ "s3:PutObject", "s3:GetObject", // <= this is invalid ], // ... }