IAM Policies and Permissions

IAM policies are the mechanism by which you define what actions are allowed or denied in your AWS environment. They are JSON documents with a specific structure, and mastering them is essential for securing your account.

---

What is an IAM Policy?

An IAM policy is a JSON document that defines a set of permissions. You attach policies to IAM identities (users, groups, or roles) or to AWS resources. When a principal makes a request, AWS evaluates all applicable policies to decide whether to allow or deny the request.

---

Policy Structure

Every IAM policy has the following structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3ReadAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Key Fields

Field	Required	Description
Version	Yes	Always use "2012-10-17" — the current policy language version
Statement	Yes	An array of individual permission statements
Sid	No	A friendly identifier for the statement
Effect	Yes	Either "Allow" or "Deny"
Action	Yes	The API actions this statement applies to (e.g., s3:GetObject)
Resource	Yes*	The AWS resources the actions apply to, specified by ARN
Condition	No	Optional conditions that must be true for the statement to apply

*Resource is required for most policies but is omitted in resource-based policies where the resource is implicit.

---

Types of Policies

AWS supports several types of policies:

1. AWS Managed Policies

Pre-built policies created and maintained by AWS. Examples include:

• AdministratorAccess — full access to all services
• ReadOnlyAccess — read-only access to all services
• AmazonS3ReadOnlyAccess — read-only access to S3

These are convenient starting points but may grant more permissions than needed.

2. Customer Managed Policies

Policies you create and manage yourself. These give you full control and allow you to tailor permissions to your exact requirements. You can version customer managed policies and roll back if needed.

3. Inline Policies

Policies embedded directly in a single user, group, or role. They are not reusable — they exist only within the entity they are attached to. AWS generally recommends using managed policies instead.

4. Resource-Based Policies

Policies attached to a resource (like an S3 bucket or an SQS queue) rather than to an identity. They specify who (which principal) can perform actions on that resource.

---

Policy Evaluation Logic

When AWS receives a request, it evaluates all applicable policies using the following logic: