AWS Identity and Access Management (IAM): Custom Policy JSON
AWS IAM is a core service that allows us to manage access to AWS resources. It helps control who can create, modify, or delete data within AWS. Access to resources can be managed in two main ways: by assigning user roles or by creating policies that define specific permissions.
Access Through Roles
To temporarily grant access to AWS resources, we can create a role, which is essentially a temporary user. Roles help in accessing resources without needing to create permanent users for each action. AWS offers several default policies to manage access control, but you can also configure your own custom policies using either the AWS console or by creating a manual JSON file.
Example of a Policy JSON
A simple policy for allowing Lambda function creation might look like this
{
"Version": "2002-10-09",
"Statement": [
{
"Sid": "CreateFunction",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction"
],
"Resource": "*"
}
]
}Key Elements of a Policy
- Sid (Statement ID): This is an identifier or name for the policy statement.
- Effect: This specifies whether to “Allow” or “Deny” the actions defined.
- Action: Lists the services and specific actions (such as create, modify, or delete) that the user can perform. For example, Lambda or S3 actions.
- Resource: Specifies the resources (like specific S3 buckets or DynamoDB tables) where the permissions apply.
Custom Policy: Read-Only Access to Specific DynamoDB Columns
You can create a custom policy to grant read-only access to specific columns in a DynamoDB table, as shown below
{
"Version": "2002-10-09",
"Statement": {
"Sid": "ReadOnlyAccess",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:*:*:table/Orders",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"col-name-1",
"col-name-2",
"col-name-3"
]
},
"StringEqualIfExists": {
"dynamodb:Select": "SPECIFIC_ATTRIBUTES"
}
}
}
}Resource Breakdown:
- ARN (Amazon Resource Name): A unique identifier for AWS resources.
- dynamodb: The service name.
- asterisks (*): The first asterisk represents the AWS region, meaning the policy applies to all regions. The second represents the AWS account ID, making the policy applicable across all accounts.
- table/Orders: Specifies the particular DynamoDB table (Orders) the policy applies to.
Conditions
In the example above, the Condition element limits the policy's scope. It allows access only to the specified columns (col-name-1, col-name-2, col-name-3) and restricts users to selecting specific attributes.
Example: Read-Only Access to an S3 Bucket
Here’s an example of a policy for read-only access to an S3 bucket
{
"Version": "2012-10-17",
"Statement": {
"Sid": "ReadOnlyAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"col-name-1/",
"col-name-2/",
"col-name-3/"
]
},
"StringEqualsIfExists": {
"s3:selectObjectContent": "SPECIFIC_ATTRIBUTES"
}
}
}
}Resource Breakdown:
- arn:aws:s3:::my-bucket: The policy applies to the entire S3 bucket (
my-bucket). - arn:aws:s3:::my-bucket/*: Applies to all objects within the bucket.
This policy limits access to specific paths in the bucket, allowing only certain prefixes (such as col-name-1/, col-name-2/) to be accessed.
Conclusion
IAM policies are a powerful way to manage access control in AWS. By customizing policies using JSON, you can define specific permissions, actions, and resources that users or roles can access. Whether it’s for DynamoDB or S3, IAM policies allow fine-grained control over your AWS environment.
