An IAM Policy is an object that defines the permissions attached to an identity or resource. The following policy types supported AWS IAM:
- Identity-Based Policy
- Resource-Based Policy
- Session Policy
- Permission Boundary
- Service Control Policy (SCP)
- Access Control Lists (Legacy Policy Type)
Defines what actions an IAM Identity (user, group, or role) are allowed to take against specific resources.
Example: Granting permissions to an IAM user access to perform certain actions
such as ec2:DescribeInstances, s3:ListBuckets, s3:PutObject,
cloudformation:CreateStack, etc.
Resource-based policies are policies that are associated or attached to a specific resource. They are used to define who (principals) has access to a resource regardless of whether the resource exists in the same account or another AWS account.
Some popular resource-based policies are S3 bucket policies and IAM role trust policies (aka Trust Relationships).
Permission boundaries create a logical boundary around the permissions that can be defined for an IAM Entity (User or Role) to explicitly allow a maximum set of permissions. Permission boundaries are a great way to implement the principle of the least privilege to ensure that an IAM Entity never has more privileges than are necessary to perform their job function. Permission boundaries don't grant permissions, so you still need to use identity or resource policies to grant access.
See my permission boundaries Medium post for more info.
AWS Organizations not only allows you to divide your organization into logical business units and manage AWS billing across many AWS accounts, it also enables you to set permissions across your AWS accounts using service control policies (SCPs). SCPs act as guardrails for your AWS accounts and thus have a similar role to a permission boundary or session policy in that they only set permissions limits but don’t explicitly grant permissions - permissions are still granted via identity-based or resourced-based policies.
Session policies are the most sophisticated type of IAM policy and serve an equivalent purpose as a permission boundary — they limit the permissions attached to temporary credentials that have been created using the AssumeRole* or GetFederationToken APIs. A sessions permissions is the result of the intersection between an identity-based policy (for the IAM entity that created the session), a resource-based policy (if one is defined), and the session policy.
Access control lists (ACLs) are similar to resource-based policies in that they allow cross-account access to a resource they are attached to, however, ACLs can only be used for defining cross-account access, not access within the same account. ACLs are also the only type of policy that don’t evaluate access based on a JSON policy document. ACLs are a legacy policy type and AWS recommends modernizing security strategy by disabling ACLs and using identity-based or resource-based policies.
- IAM JSON Policy Elements: Version
- IAM JSON Policy Elements: Id
- IAM JSON Policy Elements: Statement
- IAM JSON Policy Elements: Sid
- IAM JSON Policy Elements: Effect
- IAM JSON Policy Elements: Principal
- IAM JSON Policy Elements: NotPrincipal
- IAM JSON Policy Elements: Action
- IAM JSON Policy Elements: NotAction
- IAM JSON Policy Elements: Resource
- IAM JSON Policy Elements: NotResource
- IAM JSON Policy Elements: Condition
- Variables and Tags
- Supported Data Types