2.1.2. IAM Policy Types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries)

First Principle: Different IAM policy types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries) provide granular control over access from various perspectives, enabling comprehensive and layered security across AWS accounts.

AWS offers several types of IAM policies, each serving a distinct purpose in controlling access to AWS resources. Understanding their differences and interactions is crucial for advanced security design.

Key IAM Policy Types:

• Identity-Based Policies:
  • What they are: Attached to an IAM identity (user, group, or role).
  • Purpose: Grant permissions to that identity. Specify what actions the identity can perform on which resources.
• Resource-Based Policies:
  • What they are: Embedded directly within a resource (e.g., Amazon S3 bucket policies, Amazon SQS queue policies, AWS KMS key policies).
  • Purpose: Define who can access that specific resource and what actions they can perform. Useful for cross-account access.
• Service Control Policies (SCPs):
  • What they are: Policy types that you attach to an AWS Organizations root, Organizational Unit (OU), or individual AWS accounts.
  • Purpose: Define the maximum available permissions for all IAM users and roles in affected accounts. They act as preventative "guardrails." An explicit Deny in an SCP overrides any Allow in other IAM policies.
• Permissions Boundaries:
  • What they are: An advanced IAM policy that sets the maximum permissions an identity-based policy can grant to an IAM entity.
  • Purpose: For delegating permission management while enforcing guardrails. The effective permissions are the intersection of the identity-based policy and the permissions boundary.

Scenario: You need to allow an IAM user in Account A to put objects into an S3 bucket in Account B. Separately, you want to enforce a maximum set of permissions that any IAM user or role in Account A can have.

Reflection Question: How do different IAM policy types (Identity-Based, Resource-Based, SCPs, Permissions Boundaries) provide granular and layered control over access from various perspectives (e.g., granting permissions to an identity, defining access on a resource, setting maximum permissions across an organization), enabling comprehensive security across AWS accounts?