IAM Policies Reference

Policy JSON Structure

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3ReadOnly", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Sid": "DenyDeleteObjects", "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] }

Managed vs Inline Policies

# Create a customer-managed policy aws iam create-policy \ --policy-name MyS3Policy \ --policy-document file://policy.json # Attach managed policy to role aws iam attach-role-policy \ --role-name MyRole \ --policy-arn arn:aws:iam::123456789012:policy/MyS3Policy # Put inline policy directly on role (not reusable) aws iam put-role-policy \ --role-name MyRole \ --policy-name InlinePolicy \ --policy-document file://inline.json # List attached policies on a role aws iam list-attached-role-policies --role-name MyRole # List inline policies on a role aws iam list-role-policies --role-name MyRole

Condition Keys

{ "Statement": [{ "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-bucket/*", "Condition": { "StringEquals": { "s3:x-amz-server-side-encryption": "AES256" }, "IpAddress": { "aws:SourceIp": ["203.0.113.0/24", "198.51.100.0/24"] }, "Bool": { "aws:MultiFactorAuthPresent": "true" }, "DateGreaterThan": { "aws:CurrentTime": "2024-01-01T00:00:00Z" } } }] }

Permission Boundaries

# Attach permission boundary to a role aws iam put-role-permissions-boundary \ --role-name DeveloperRole \ --permissions-boundary arn:aws:iam::123456789012:policy/DeveloperBoundary # Permission boundary policy example (max permissions allowed) { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:*", "cloudwatch:*", "ec2:Describe*"], "Resource": "*" }] } # Note: effective permissions = identity policy โˆฉ permission boundary

Service Control Policies (SCP)

# SCPs apply at AWS Organizations level # Deny all actions outside specific regions { "Version": "2012-10-17", "Statement": [{ "Sid": "DenyOutsideRegions", "Effect": "Deny", "NotAction": [ "iam:*", "sts:*", "support:*", "route53:*", "cloudfront:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["us-east-1", "us-west-2"] } } }] } # Attach SCP to OU via CLI aws organizations attach-policy \ --policy-id p-examplepolicyid \ --target-id ou-exampleouid

Common Policy Patterns

PatternUse Case
"Action": "*", "Resource": "*", "Effect": "Deny"Explicit deny all (highest priority)
"NotAction": [...], "Effect": "Allow"Allow everything except listed actions
"NotResource": [...], "Effect": "Deny"Deny on all resources except listed
aws:PrincipalOrgID conditionRestrict to org members only
sts:AssumeRole with MFA conditionRequire MFA before role assumption

Related Tools

โ˜ AWS CLI Reference AWS CLI common commands reference โ˜ S3 Operations Reference AWS S3 bucket operations guide โ˜ Lambda Patterns AWS Lambda function patterns โ˜ EC2 Reference AWS EC2 instance management โ˜ CloudFormation Basics CloudFormation template syntax โ˜ VPC Guide AWS VPC network config guide โ˜ RDS Guide AWS RDS database instance guide ๐Ÿ”ต GCP CLI Reference gcloud CLI tool cheatsheet ๐Ÿ”ต GCP IAM Guide Google Cloud IAM permissions ๐Ÿ”ต Cloud Run Reference Google Cloud Run deploy guide ๐Ÿ”ต BigQuery Reference Google BigQuery SQL reference ๐Ÿ”ต Pub/Sub Guide Google Cloud Pub/Sub guide