2.1.2. IAM Policy Types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries)
First Principle: Different IAM policy types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries) provide granular control over access from various perspectives, enabling comprehensive and layered security across AWS accounts.
AWS offers several types of IAM policies, each serving a distinct purpose in controlling access to AWS resources. Understanding their differences and interactions is crucial for advanced security design.
Key IAM Policy Types:
- Identity-Based Policies:
- What they are: Attached to an IAM identity (user, group, or role).
- Purpose: Grant permissions to that identity. Specify what actions the identity can perform on which resources.
- Resource-Based Policies:
- What they are: Embedded directly within a resource (e.g., Amazon S3 bucket policies, Amazon SQS queue policies, AWS KMS key policies).
- Purpose: Define who can access that specific resource and what actions they can perform. Useful for cross-account access.
- Service Control Policies (SCPs):
- What they are: Policy types that you attach to an AWS Organizations root, Organizational Unit (OU), or individual AWS accounts.
- Purpose: Define the maximum available permissions for all IAM users and roles in affected accounts. They act as preventative "guardrails." An explicit
Denyin an SCP overrides anyAllowin other IAM policies.
- Permissions Boundaries:
- What they are: An advanced IAM policy that sets the maximum permissions an identity-based policy can grant to an IAM entity.
- Purpose: For delegating permission management while enforcing guardrails. The effective permissions are the intersection of the identity-based policy and the permissions boundary.
Scenario: You need to allow an IAM user in Account A to put objects into an S3 bucket in Account B. Separately, you want to enforce a maximum set of permissions that any IAM user or role in Account A can have.
Reflection Question: How do different IAM policy types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries) provide granular and layered control over access from various perspectives (e.g., granting permissions to an identity, defining access on a resource, setting maximum permissions across an organization), enabling comprehensive security across AWS accounts?