Managing policies and assigning permissions 

Assigning permissions in AWS is done through policies. Policies are implemented as JSON objects that define the scope of actions that are able to be executed over AWS resources. A combination of policies and security principles will be looked at before the final permissions are determined by AWS, and those include the following: 

  • Identity-based policies: These are attached to users, groups, and roles.
  • Resource-based policies: Policies can be attached directly to resources; for example, S3 bucket policies can control access to the S3 bucket.
  • Access control lists (ACLs): ACLs are also attached to certain resources, but unlike resource-based policies are use XML rather than JSON.
  • Organizations service control policies (SCP): We use SCPs to assign permissions boundaries to AWS organizations or organizational units (OUs).

Policies have a certain structure, written in JSON, and are composed of two parts:

  • Policy-wide information at the top of the document (optional)
  • One or more policy statements (mandatory)

Statements include information about a single permission, so to define multiple permissions you can include multiple statements. When evaluating the final permission, a logical AND is applied across all statements. When evaluating multiple policies, a logical AND will be applied across all of those policies, meaning the most restrictive setting in all policies combined will become the effective set of permissions.

Let's take a look at a policy by navigating to the IAM service, selecting the Policies | AdministrativeAccess policy, and selecting the {} JSON button: 

We can see that the version and one statement are included in this policy, and we can see that the effect of the statement is that it will Allow any action across all resources. The JSON policy can include all of the following attributes:

  • Version: Here, we can specify the version of the policy language; in most cases, the latest 2012-10-17 version should be used.
  • Statement: It is used as a container for statement elements:
    • Sid: An optional statement ID to differentiate between your statements
    • Effect: Allow or Deny 
    • Principal: Should be the account, user, role, or federated user being assigned the permission
    • Action: A list of actions that the policy allows or denies
    • Resource: A list of resources to which the actions apply
    • Condition (Optional): Specify the circumstances under which the policy grants permission
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.75.217