An IAM Policy in AWS is a JSON document that defines permissions to allow or deny actions on AWS resources. Policies are attached to users, groups, or roles to control their level of access.
IAM policies enable fine-grained access control, ensuring that entities (Users, Roles, or Groups) have only the permissions necessary to perform their jobs (Principle of Least Privileges.)
Key Features of IAM Policies
JSON-Based - Policies are written in JSON format.
Granular Access Control - Define specific actions allowed/denied.
Attach to IAM Users, Groups or Roles - Flexible Permissions Management.
Supports Explicit Deny - If a deny statement exists, it overrides allow.
Conditional Access - Restrict Permissions based on IP address, region, time, etc.
AWS-Managed Policies - Predefined by AWS for common use cases.
Custom Policies - Users can create their own policies for more control.
Structure of an IAM Policy
An IAM policy consists of several key elements:
Types of IAM Policies
IAM Policies can be categorized into four main types:
AWS Managed Policies
Customer Managed Policies.
Inline Policies
Service Control Policies.
AWS Managed Policies
Predefined by AWS for Common use cases.
Example: AmazonS3ReadOnlyAccess, AdministratorAccess
Good for standard access needs without creating custom policies.
Example:
AWS-Managed Policy for Read-Only S3 Access.
Customer Managed Policies
Custom Policies created by Users for specific requirements.
Provides more flexibility than AWS-Managed Policies.
Example:
Custom Policy Allowing Read & Write to Specific S3 Bucket.
Inline Policies
Directly attached to an IAM User, Group, Role.
Not reusable (unlike managed policies).
Best for temporary, user-specific permissions.
Example,
Inline Policy for Granting Full Access to EC2.
Service Control Policies
Used in AWS Organizations to manage multiple AWS Accounts.
Applied at the account level (not to individual IAM users).
Helps enforce organization-wide security restrictions.
Example,
SCP preventing S3 Bucket Deletion
Who Users Service Control Policies? Organization that wants to enforce global policies across multiple AWS Accounts.
IAM Policy Evaluation Logic
AWS IAM Policies follow a strict evaluation order:
Explicit Deny: If a policy contains "Effect": "Deny" the request is denied.
Explicit Allow: If a policy has "Effect": "Allow", AWS grants access (unless explicitly denied)
Implicit Deny - If no policy explicitly allows an action, it is denied by default.
Example,
Allowing S3 Access but Denying Deletion
Users can upload, list and read objects.
But users can not delete any objects in the s3 bucket.
IAM Policy Condition (Advanced Security)
IAM Policies support Condition keys for fine-tuned access control
Example,
Restrict S3 Access to Specific IP Range
Best Practices for IAM Policies
Follow the principle of least privilege
Use AWS Managed Policies when Possible
Enable MFA
Use IAM Conditions for enhanced security.
Monitor IAM Changes with AWS CloudTrail
Regularly Audit IAM Policies.
How to Create AWS IAM Policies
Method 1: AWS Management Console
Step1: Sign in to AWS Management Console.
Go to IAM Console https://console.aws.amazon.com/iam
In the left navigation pane, click policies.
Click Create Policy
Step2: Choose a Policy creation method
You will see two options:
Visual Editor (For beginners, no JSON experience required)
JSON Editor (For advanced users who want to write custom policies).
Step3: Review and create the Policy
Enter a Policy Name (e.g., ReadOnlyAccess)
Enter a Description
Click Create Policy.
Method 2: AWS CLI
Step1: Create a JSON Policy File
Create a JSON file (policy.json) with desired permissions
Step2: Create the policy using AWS CLI
Run the following AWS CLI command to create the policy
Step3: Attach the Policy to an IAM User
To attach this policy to a user:
Step4: Verify the Policy
Step5: Delete the Policy (If Needed)
If you need to delete the policy
Policy can be deleted only if it is not attached to any
