AWS Policies - Policy Document and Policy Generator

A policy is a document (written in the Access Policy Language) that acts as a container for one or more permission statements that control access to AWS products and resources .

A statement is the formal description of a single permission. Within a statement you can specify elements such as Effect (allow / Deny), Principal, AWS Services, Actions (e.g. Create Bucket), Amazon Resource Name (ARN) and optionally conditions (e.g. ARN Equals, NotIPAddress).

 

AWS Policy Generator

The AWS Policy Generator is a tool that enables you to create policies.

The different types of policies you can create are an IAM Policy, an S3 Bucket Policy, an SNS Topic Policy, a VPC Endpoint Policy, and an SQS Queue Policy.

You can add statements to policies easily from within the policy generator.

You can access the policy generator at http://awspolicygen.s3.amazonaws.com/policygen.html.

 

Important Teminology

Principal

Principal is the person who receives permission in the statement. In resource-based policies (e.g. S3 Bucket Policy), use the Principal element to specify the users or accounts who are allowed to access the resource. E.g. arn:aws:iam::123456789012:heartin or the account 123456789012.

We do not specify the Principal element in policies that you attach to IAM users and groups, or access policy for an IAM role. Here, the principal is the user that the policy is attached to (for IAM users) or the user who assumes the role (for role access policies).

When the policy is attached to an IAM group, the principal is the IAM user in that group who is making the request.  

In IAM roles, use the Principal element in the role's trust policy to specify who can assume the role.

For cross-account access, you typically specify the identifier of the trusted account. You cannot specify anything other than a 12-digit account ID when you create a cross-account role. However, you can change it to "*" in the policy editor after you create the role.

Comments

lijo's picture

completed

Learn Serverless from Serverless Programming Cookbook

Contact

Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About

Cloudericks.com is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Amazon Web Services.

I like to write. I try to document what I learn and share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Recent comments

Photo Stream