AWS : IAM : Policy

Policy is made up of

1. Effect :  Allow & Deny
2. Actions :   Ex : createBucket ( v v fine grained)
3. Resource :    Like S3 , EC2 , DynamoDB etc
4. Conditions :   If any like start time etc

Example ....

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:us-west-2:23534566:table/Sales",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "application-autoscaling.amazonaws.com"
                }
            }
        }
    ]
}

Policy can be attached to

1. Users
2. Groups 
3. or Roles.

Example : http://serverfault.com/questions/589150/is-it-possible-to-restrict-aws-users-accounts-to-a-specific-region
Ques : We always keep our resources in Region1 (non default), but users when launching instances often launch in Region2(default region) and its un-necessary cost. Is there a way to restrict it ? (Aug 15)
Ans : Not in global way , but specific services yes

{
"Statement": [
    {
        "Sid": "Stmt1375943389569",
        "Action": "ec2:*", "Action":"RunInstances",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:Region": "eu-central-1"
            }     
}    }  ]
}

Process of Evaluating Policy

1. Evaluate all applicable policies
2. Is there an explicit Deny ?
1. YES : deny it
2. NO
1. Is there an explicit allow
1. YES  : ok allow it
2. NO : By default everything is implicit deny
3. Much like a firewall

Ques : If i have a policy that has both allow and deny which one takes precedence ?
Ans : always deny. (based on above algo )

Types of Policies

1. Managed : its a standalone object 
• AWS 
• or Customer Managed
2. Inline : tied to objects

Ques : When will i want to use ‘Inline Policy’
Ans : to handle one off case : for example ... a developer who creates many AWS resources … and costs company some extra money. so you want to restrict ONLY that developer.

Inline policies , can be assigned to (at time of creation)

• Groups
• Users
• Roles

Please note if i assign that policy to role , and role is deleted so is inline policy. 

Policy Versioning
Its automatic you dont have to do anything to enable it

As the screen shot says you can have maximum 5 policy version

you can also delete policy versions

Policy Simulator

Good way to test policy before putting in production.

Ex: you want to test if a policy deletes s3 bucket , i could actually write a script that test deletion on a existing (or test) bucket, but this is a much cleaner way.

If we really want we could test scenario : of testing it on combination of policies.

1. goto https://policysim.aws.amazon.com
2. login to aws console
3. choose user , group or role
4. clear the box next to each policy that you want to exclude from testing
5. User policy simulator select services & action
6. in global setting section enter the condtion
7. Select Run Simulator

After clicking on user on LHS , we see corresponding policies … each one having a checkbox … we can then choose which ‘combination’ of policies we want to use for simulation testing.