Skip to content
Gallery
1. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM)
IAM Elements
IAM Authentication Methods
IAM Users
IAM Groups
IAM Roles
IAM Policy
Permission Boundary
IAM Policy Evaluation Logic
IAM Best Practices
Misc
Share
Explore

icon picker
IAM Policy Evaluation Logic

Default Denial
Default Behavior: By default, all requests are implicitly denied.
Root User Access: Alternatively, the AWS account root user has full access by default.
Override Rules
Explicit Allow: Any explicit allow in an identity-based or resource-based policy overrides the default denial.
Implicit Deny Overrides: If a permissions boundary, Organizations SCP, or session policy is present, it might override an explicit allow with an implicit deny.
Explicit Deny: An explicit deny in any policy overrides any allows.
Key Concepts
Identity-Based Policies: Attached to IAM identities (users, groups, roles) and grant permissions to IAM entities.
Resource-Based Policies: Grant permissions to the principal specified as the resource.
IAM Permissions Boundaries: Set the maximum permissions that an identity-based policy can grant to an IAM entity.
AWS Organizations SCPs: Specify maximum permissions for an organization or organizational unit.
Session Policies: Advanced policies passed as parameters when programmatically creating a temporary session for a role or federated user.
Here are examples of each type of policy in AWS:
Identity-Based Policies:
Example: Granting permissions to a specific IAM user to read data from an S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/example-user"
}
}
]
}
Resource-Based Policies:
Example: Allowing an S3 bucket to be accessed by a specific IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/example-role"
}
}
]
}
IAM Permissions Boundaries:
Example: Setting a permissions boundary on an IAM role to limit its permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
AWS Organizations SCPs (Service Control Policies):
Example: Restricting access to specific AWS services within an organizational unit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-1234567890abcdef"
}
}
}
]
}
Session Policies:
Example: Creating a session policy to restrict access to specific DynamoDB tables.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/ExampleTable",
"Condition": {
"StringEquals": {
"dynamodb:LeadingKeys": "User1"
}
}
}
]
}
The following flowchart details the IAM policy evaluation logic:
image.png
Refer:
Policy evaluation logic - AWS Identity and Access Management

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.