Creating an AWS IAM Policy: AWS Security

However you choose to do it: your AWS IAM policy must be a good fit for your application’s actual access needs. We’ll discuss three ways to get it done.

Welcome to part six of our AWS Security Series. Last week I introduced Identity & Access Manager (IAM) and how you can control access to resources by using the predefined user, group, and role policy templates created and designed by AWS. This week, I want to show you how you can create your own custom IAM policy in the form of a JSON script and test it using the AWS Policy Simulator.

This article will cover the main elements, syntax, and structure of an IAM policy, and different ways to create your own IAM policy. Using a predefined IAM policy is more likely than not a perfect match for the permissions you actually need. However, now and again, you may want to tweak a small part of it to more exactly fit your requirements. Remember, when it comes to security, the more precisely you can define your controls, the better. You should avoid being lazy and deploying implementations that are “close enough” rather than hand crafting the perfect fit.

An IAM Policy is a JSON script made up of statements following a set syntax for allowing or denying permissions to an object within your AWS environment.

IAM Policy Syntax

Each policy has to have at least one statement whose structure might look like this:
IAM AWS policy statement
The ‘Effect’ element can be set to either ‘Allow’ or ‘Deny’. These are explicit. By default, access to your resources is denied and so therefore if this is set to ‘Allow’ it replaces the default ‘Deny’. Similarly, if this were set to ‘Deny’ it would override any previous ‘Allow’. The ‘Action’ Element corresponds to API calls to AWS Services that authenticate through IAM. For example, this example represents API calls to delete a bucket (the action) within S3 (the service):

“Action”:”s3:DeleteBucket”

You are able to list multiple actions, if required, by using a comma to separate them:

“Action”:”s3:DeleteBucket”,”s3:CreateBucket”

Wildcards (*) are also allowed. So, for example, you could create an action to carry out all APIs relating to S3, such as:

“Action”:”s3:*”

The ‘Resource’ element specifies the actual resource you wish the permission to be applied to. AWS uses unique identifiers known as ARNs (Amazon Resource Name) to specify resources. Typically ARNs follow a syntax of:

arn:partition:service:region:account-id:resource
  • ‘Partition’ – This relates to the partition that the resource is found in. For standard AWS regions, this section would be ‘aws’.
  • ‘Service’ – This reflects the specific AWS service, for example ‘s3’ or ‘ec2’.
  • ‘Region’ – This is the region where the resource is located. Some services do not need a region specified, so this can sometimes be left blank.
  • ‘Account-ID’ – This is your AWS Account ID (without hyphens). Again, some services do not need this information, and so can be left blank.
  • ‘Resource’ – The value of this field will depend on the AWS service you are using. For example, if I were using the Action: “Action”:”s3:DeleteBucket”, then I could use the bucket name that I wanted the permission to delete:  arn:aws:s3:::cloudacademyblog.

The ‘Condition’ element of the IAM Policy is an optional element that allows you to specify when the permissions will be activated based upon set conditions. Conditions use key value pairs, and all conditions must be met for the permissions to be activated. Here’s a full listing of these conditions.
Now we have a basic understanding of how JSON scripts are put together and their general flow, let’s see how we can modify existing policies to tweak them to your needs.

Copying an existing AWS IAM Policy

There will be times when you may not need to create a policy completely from scratch. You may be able to get away with adapting one that already exists. This can potentially save you a lot of time and effort. Open up your AWS console and select ‘IAM > Policies > Create Policy’. You will be presented with these three options:
create AWS IAM policy
For this example, select “Copy an AWS Managed Policy”.

You will then be shown a list all existing AWS managed policies, and there are a LOT! You can narrow your search by using the search function at the top of the page. For this example, I am going to search for S3 policies.
copy an AWS managed policy
I will select the “AmazonS3FullAccess” IAM policy with the goal of modifying it to only allow full access to a specific bucket (cloudacademyblog).
Once selected, it displays the following JSON policy:
AWS IAM policy: allow

After reviewing this policy, I am happy with the ‘Effect’ and ‘Action’ elements, however I want to modify the ‘Resource’ section, which is currently set to “all” with the * wildcard. I will add the ARN for a specific bucket called ‘cloudacademyblog’. To do this, all I need to do is edit the policy and change the ‘Resource’ line to:

"Resource": "arn:aws:s3:::cloudacademyblog"

Once edited, I can give the policy a meaningful name and click Save. This policy will now appear in your list of the policies you can assign to your groups and users. Once assigned, it’s always a good idea to test your policy via the simulator by clicking on Simulate Policy.
AWS IAM policy: simulator permissions

This will load the policy simulator for the policy I just created:
AWS IAM policy: simulator
This shows the policy’s JSON script on the left and, on the right hand side, I can select specific Services and Actions. The image below shows that I have selected ‘S3’ as the Service and ‘Create Bucket’ and ‘Delete Bucket’ as the Actions. I have also added the ARN for the cloudacademyblog bucket in the ‘Resource Type’ field.
AWS IAM policy: Settings
Once all the information you want to test is there, click ‘Run Simulation
AWS IAM policy allowed settings
The simulator results show that this IAM policy allows those actions to be carried out on the cloudacademyblog bucket. To confirm these actions are not possible on other buckets, I ran the following simulation with the ‘Resource’ set to all (checking all buckets) with the * wildcard:
AWS IAM policy - status denied
As you can see, this was denied by the policy as the policy only states that we have full access to the arn:aws:s3:::cloudacademyblog bucket.

Using the IAM Policy Generator

If you do not yet feel confident enough to edit existing policies, then AWS provides the IAM Policy Generator. From with the AWS Console select ‘IAM > Policies > Create Policy’ and this time select ‘Policy Generator’.

From here, via drop down boxes, you can select the Effect, Service, Action, and Resource. Additionally, if required, you can also set up conditions. Once all your options are set, click the ‘Add Statement’ button.

The image below shows that I have simply replicated the IAM policy I created in the last section, but this time via the Policy Generator:
AWS IAM policy - Generator
When you are happy with your new IAM policy, select ‘Next Step’. From there, you can give your new IAM policy a name and description, and view it as a JSON script. Click ‘Create Policy’ and then attach it to any groups or users as needed.

Writing your own IAM policy

If you’re ready to write your own IAM policy from scratch, there’s nothing stopping you. From the AWS Console, select ‘IAM > Policies > Create Policy’, and this time select ‘Create your own policy’.
AWS IAM Review policy
Here you are presented with a blank canvas allowing you to give your policy a name and description…but most importantly, a blank policy document where you can write your JSON document adhering to the policy syntax rules discussed at the beginning of this article.

Once you are happy with your policy, use the ‘Validate Policy’ button at the bottom to determine if there are any errors with your policy. Again, when you are finished click ‘Create Policy’.

As you can see there are a number of methods available to help you refine your IAM policies, and you aren’t forced to use predefined policies. Once you get used to the syntax – and benefits – of writing your own policies, you will be able to effectively and efficiently lock down access to your resources to ensure they are only accessed by authorized API calls.

There are many,  many specific commands that can be controlled through an IAM policy, but they’re a bit beyond the scope of this post. AWS provides great API listings for the different services through their extensive documentation for advanced policy writers.

What are the key elements we have we learned this week?

  • It is always best to refine your IAM Policy down to an API call level for the tightest level of security.
  • Policies can be created in a number of ways via IAM: from writing your own JSON script to assisted creation via drop-down menus.
  • Testing your policies via the Simulator is a very important part of ensuring they only allow or deny exactly what they were designed for.

In my next AWS Security article, I will be taking a look at Federated access with IAM, Trusted Advisor, AWS Billing restrictions and AWS Linked accounts. Until then I hope you all have a Happy New year!
Thank you for taking the time to read my article. If you have any feedback please leave a comment below.

Avatar

Written by

Stuart Scott

Stuart is the AWS content lead at Cloud Academy where he has created over 40 courses reaching tens of thousands of students. His content focuses heavily on cloud security and compliance, specifically on how to implement and configure AWS services to protect, monitor and secure customer data and their AWS environment.


Related Posts

Joe Nemer
Joe Nemer
— April 2, 2020

Breaking News: All AWS Certification Exams Now Available Online

Remote proctoring for all AWS certifications Cloud Academy is an Advanced AWS Technology Partner, and we were are happy to announce all AWS certification exams are available online!  What does this mean for you? You can stay focused on your certification goal. Or you can start a cert...

Read more
  • AWS
  • AWS certification
  • AWS Certifications
Connie Benton
Connie Benton
— April 1, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Alisha Reyes
Alisha Reyes
— February 7, 2020

New on Cloud Academy: Git Labs, CKA and CKAD Lab Challenges, AWS and Azure Learning Paths, AGILE, and Much More

We just kicked off our first Free Weekend of 2020. This means we've unlocked our Training Library for just 72 hours. Until Sunday at 11:59 pm (PST), you can get unlimited access to our industry-leading learning paths, courses, certification prep exams, and our most popular hands-on labs...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum