In-Depth Look at AWS IAM Policies and Permissions

This article provides a hands-on exploration of AWS IAM policies, their structure, and how permissions are managed and applied to users, groups, and resources.

IAM Policies and Permissions Overview

AWS IAM policies are critical for defining what actions users, groups, or roles can perform on AWS resources. They can be attached in various ways:

• Group Policies: Apply to all members of a group.
• Inline Policies: Attach directly to a user.
• Managed Policies: Reusable policies that can be attached to multiple users, groups, or roles.

Key Concepts from the Hands-On

1. Inheritance of Permissions

• Users inherit permissions from their group memberships.
  • Example: The user Stephane belongs to the admin group, inheriting the AdministratorAccess policy.
• If a user is removed from a group, they lose the group’s permissions immediately.
  • Example: Removing Stephane from the admin group resulted in a lack of permissions to view users (iam:ListUsers).

2. Attaching Policies Directly

When users need specific permissions without relying on a group:

• Attach a managed policy directly to the user.
  • Example: Attaching IAMReadOnlyAccess to Stephane allowed viewing IAM resources but restricted actions like creating groups.

3. Policy Structure Breakdown

Policies are defined in JSON and consist of the following elements: