All you need to know about writing Least Privilege IAM Policies

aysharshad

Ayesha Arshad

Posted on April 22, 2022

All you need to know about writing Least Privilege IAM Policies

The system of AWS IAM Policies provides a granular structure of permission sets. The reason behind this system is Least Privilege Model.  The least privileged principle allows IAM identities to have the least required access level to complete their tasks. And this is an important unit of Well Architectured best practices.

In AWS all operations are Implicitly denied until Explicitly Allowed using these policies. However, if an operation is Explicit Denied then this rule has the highest precedence. 

Read about the Main principles of AWS Cloud Security and what role IAM plays in securing the AWS Resources.

Structure of IAM Policies

{
    "Version" : "2012-10-17",
    "Statement" : 
    [
        {
            "Sid" : "Human Readable Description",
            "Effect" : "Allow/Deny",
            "Action" : 
                [
                    "Service:api/call"
                ],
            "Resource" :
                ["arn"],
            "Condition" : 
            {
                "Stringequals" : 
                    {
                        "part of string" : "value to match"
                    }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Read Explanation here

Ways to create IAM Policies

You can use three main ways to create your desired IAM Policies:

  1. JSON Editor: You can write the policy manually using the aforementioned structure.
  2. Visual Editor: You can use the visual editor, which is found in IAM Console, to spin the policy.
  3. Import: You can import an existing policy from your account to customize it as per your requirements. You can import both AWS and Customer managed Policies
  4. AWS CLI: Use AWS CLI commands to generate IAM Policies.

Read More

💖 💪 🙅 🚩
aysharshad
Ayesha Arshad

Posted on April 22, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related