Policies - Kahuna915/Capstone-Cloud-Integration GitHub Wiki

What are Policies and Permissions in IAM?

To manage access in AWS you create policies and attach them to IAM (users, groups of users, or roles) or AWS resources.

  • "A policy is an object in AWS that, when associated with an identity or resources, defines their permissions"
  • Permissions can determine if a request is allowed or denied AWS supports six types of policies

Identity-based policies

  • Grant permissions to an identity
  • Managed policies – Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. There are two types of managed policies:
    • AWS managed policies – Managed policies that are created and managed by AWS.
    • Customer managed policies – Managed policies that you create and manage in your AWS account. Customer managed policies provide more precise control over your policies than AWS managed policies. *Inline policies – Policies that you add directly to a single user, group, or role. Inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity.

Resource-based policies

  • IAM role trust policies and S3 Bucket Policies
  • Grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts.

Permissions boundarires

  • Restrict permissions to a IAM user or role. Essentially creating a boundary around the user

Organization Service Control Policies

  • Define maximum permissions for account members. SCPs limit permissions that identity-based policies or resrouces-based policies grant to entities (users or roles) within the account, but do not grant permissions

Account Control Lists

  • ACLs are used to control which principals in another account can access a resource.
  • ACLs are cross-account permissions policies that grant permissions to the specified principal

Session Policies

  • Session policies limit the permissions that the role or user's identity-based policies grant to the sessions.
  • Sessions policies limit permissions for a created session, but do not grant permissions

Serivce control policies

Service control policies are policies that specify the maximum permissions for the organization or OU.
SCP defines a guardrail or sets limits on the actions that the account admin can delegate

Example Policy

For instances with student tags, allows students to restart, stop, reboot, attach volumes, and detach volumes.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Action": [
 "ec2:StartInstances",
 "ec2:StopInstances",
 "ec2:RebootInstances",
 "ec2:AttachVolume",
 "ec2:DetachVolume"
 ],
 "Condition": {
 "StringEquals": {
 "ec2:ResourceTag/Student":"${aws:username}"
 }
 },
 "Resource": [
 "arn:aws:ec2::account:instance/*",
 "arn:aws:ec2::account:volume/*"
 ],
 "Effect": "Allow"
 }]
}

EC2 does not support sepcifying a Region in the ARN tag, for this section leave it blank ::