What is an IAM Policy?
An IAM policy is a way to allow or deny users to perform certain actions in an AWS account. When a user or a role is created, by default they only have permission to login. They cannot view, modify, or create any new resources. IAM policies are used to grant additional permissions. IAM policies can be defined at very granular levels, so it's important that you understand how to use them safely.
Kion helps you apply IAM policies across your organization and acts as a central repository for all of your IAM policies. Create a policy once and apply it to all the necessary cloud access roles. When you need to make a change, just update the policy in a single place and Kion will modify that policy in all of your accounts via cloud access roles.
Different types of policies in AWS often overlap. AWS IAM policies, AWS SCPs, and permissions boundaries all control an entity's (i.e. a user, user group, or role) permissions. To learn more about this, see the What is a Permissions Boundary? article.
Should I use a service control policy or an IAM policy?
While SCPs accomplish a similar goal to IAM policies, they differ in a few key ways, which can help you determine which is right for your situation:
- IAM policies allow you more control to grant granular permissions to individual users.
- SCPs allow you to apply enforcements at a higher level that apply to all users.
If you have an IAM policy that you would like to extend to your entire account, you can easily clone it and convert it into a service control policy. For more information, see Add an AWS Service Control Policy.