Add an AWS IAM Policy

Last updated August 28, 2023 19:41

Add an AWS IAM Policy

An IAM policy is a way to allow or deny users to perform certain actions in an AWS account. When a user or a role is created, by default they only have permission to login. They cannot view, modify, or create any new resources. IAM policies are used to grant additional permissions.

To create a new AWS IAM Policy:

Navigate to Cloud Management > AWS IAM Policies.
Click Add New.
In the AWS IAM Policy Name field, enter a name to identify the AWS IAM Policy throughout the application. This field must be unique among AWS IAM Policies.
(Optional) Enter a description.
In the AWS IAM Policy field, enter or paste a valid AWS IAM Policy.
Select at least one user or user group that will have permission to edit this cloud rule.
Select whether the policy will be public or restricted.

Public policies. All users with permission to manage cloud access roles can select public policies when creating cloud access roles.
Restricted policies. Only those users selected in the policy can select restricted policies when creating cloud access roles. When you set a policy as restricted, you must select at least one user or user group to have permission to use the policy.

Click Create IAM Policy. Once the policy is saved, it will be validated with AWS.

Sample IAM Policies

Example policy that restricts access to S3 and EC2 services

                {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ReadOnly",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEC2ReadOnly",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        }
    ]
}

This policy only provides the user with read access to S3 and EC2 services. You can get more granular by specifying a Resource or Condition tag.

Example blacklist policy

You can create an IAM policy that blacklists all services except for those on an approved list. Even if a policy with full administrator access is attached to the same role or user as this policy, this policy will only allow the EC2, RDS, and S3 services to be used.

                {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BlacklistAllButThreeServices",
            "Effect": "Deny",
            "NotAction": [
                "ec2:*",
                "rds:*",
                "s3:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

An important note for the above policy is that you're still not granting access to these resources. You still need to attach another policy that does allow access.

For more policy examples, see Amazon's article Writing IAM Policies.

ZD-main.4.log-399603933.zip
(20 KB)