Learn more about IAM policies
Identity and Access Management (IAM) policies are the standard way of managing access to resources
and services in AWS. An IAM policy contains a collection of permissions that define what actions are
allowed, or denied. The policy can be attached to an identity or resource called the IAM
principal. Every time this principal makes a request to AWS - this can be through the
console, CLI or API - the attached policies of the principal are checked to verify that it is
actually allowed to perform the request.
There are six types of IAM policies: identity-based policies, resource-based policies, permissions
boundaries, service control policies, access control lists, and session policies.
- Identity-based policies are policies that give permissions to IAM identities such as
users, roles or groups.
- Resource-based policies are policies that can be attached to AWS resources, such as S3
buckets. This type of policy specifies who can access a resource, and how.
- Sometimes it makes sense to limit which permissions an identity can be given. For example, you
don't want an IAM user to ever get the rights to create EC2 instances. In that case you can use
permissions boundaries. A permission boundary can result in an action being denied, even
if the principal requesting the action has the correct permissions attached in an identity-based
policy.
-
Similar to permission boundaries are the service control policies (SCPs). They also limit
which permissions an IAM identity can have.The only difference is that service control policies
are applied organisation-wide (meaning all IAM identities within the organisation), while
permission boundaries only apply to a single IAM identity.
-
Access control lists (ACLs) are a bit different from the other policies, since they are
the only policy type that does not use the JSON policy format. Access control lists are used to
specify which principals in other accounts can access a resource. ACLs can be used only with the
Amazon S3, WAF en VPC services.
-
Finally you have the session policies, which are simply IAM policies that are attached to
a session. When the session ends, so do the permissions granted by the session policy.