There are several types of AWS policies, but the primary and most commonly referenced categories are identity-based policies and resource-based policies.
Main AWS Policy Types
Identity-based policies are attached to AWS IAM identities (users, groups, or roles) and define what actions those entities can perform on which resources.
Resource-based policies are attached directly to AWS resources (such as S3 buckets or SNS topics), specifying which principals (identities or accounts) can access those resources and what actions are permitted.
Resource-based policy example:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::yourbucketname",
"arn:aws:s3:::yourbucketname/*"],
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
Other AWS Policy Types
In addition to the above, AWS supports several other policy types, including:
- Managed policies (AWS managed and customer managed)
- Inline policies (directly embedded on a single identity)
- Permissions boundaries (set maximum permissions for identities)
- Service Control Policies (SCPs, used in AWS Organizations)
- Access Control Lists (ACLs, primarily for resources like S3 buckets)
- Session policies (restrict permissions for sessions created with temporary credentials).
While identity-based and resource-based are the two fundamental categories most often discussed, the broader IAM ecosystem incorporates additional forms for more advanced governance and restrictions.
How do resource-based and identity-based policies differ?
Resource-based and identity-based policies in AWS differ primarily in their attachment location and in how they control access permissions to AWS resources.
Key Differences
Identity-based policies are attached to IAM entities (users, groups, or roles) and specify what actions these identities can perform on which resources. For example, an IAM user can have a policy that permits reading from specific DynamoDB tables or starting EC2 instances.
Resource-based policies are attached directly to AWS resources (such as S3 buckets, SNS topics, or KMS keys). These policies define which principals (users, roles, accounts) can access the resource and what actions they are allowed to perform. Resource-based policies allow for fine-grained control, including granting access to principals outside of the resource owner’s AWS account.
Attachment and Usage
Identity-based policies are managed at the IAM level and generally offer broader access control for multiple resources through one principal.
Resource-based policies are applied specifically to resources and are used when the access control needs to be defined at the resource level, possibly for cross-account or external identity access.
Policy Evaluation
When a request to access a resource is made, AWS evaluates all applicable identity-based and resource-based policies together.
An explicit 'Deny' found in any policy will override any 'Allow' statements, ensuring comprehensive and secure permission management.
Both types can be used separately or together, depending on security architecture and the granularity of control required for identities and resources.
If resource based policy allows access to some user, do we need a separate identity-based policy which allows access to that resource to be attached to that user?
If a resource-based policy allows access to a user, there is generally no need to attach a separate identity-based policy for that specific action—access will be granted solely based on the resource-based policy's allowance.
Details on Policy Evaluation Logic
When a request is made, AWS checks both identity-based and resource-based policies that apply to the request.
If any policy contains an explicit 'Deny', access is denied regardless of any 'Allow' statements elsewhere.
If at least one policy (whether identity-based or resource-based) contains an 'Allow' and there are no explicit Deny statements, the action is permitted.
For resource-based policies, the permission is granted directly to the designated principal (user or role), even if the user or role does not have a corresponding identity-based policy that allows the action.
In cross-account scenarios, both the identity-based policy in the requesting account and the resource-based policy on the target resource must allow the action; otherwise, access is denied.
A user can be granted access solely by a resource-based policy, but if finer-grained or multiple permissions are needed across various resources, identity-based policies are beneficial. A resource-based policy alone can grant access to a user, without needing a separate identity-based policy for that resource and action—the access will work as long as the resource-based policy allows it and there is no explicit deny elsewhere. AWS evaluates all applicable identity-based and resource-based policies for a request; if any presents an explicit deny, access is rejected, but if at least one policy allows the action, access is permitted.
This means a user with no identity-based permission, but with permission in a resource-based policy, can still access that specific resource unless a deny blocks them. However, in cross-account situations, both a corresponding identity-based policy in the user's account and a resource-based policy in the resource owner's account must allow the action for access to succeed.
Are policies listed in IAM in AWS Console, only identity-based policies?
Yes, the policies listed in the IAM section of the AWS Console are only identity-based policies—specifically managed policies and inline policies that are attached to IAM users, groups, or roles.
IAM policies you see under "Policies" are either AWS managed, customer managed, or inline identity-based policies.
Resource-based policies (such as S3 bucket policies, SNS topic policies, or Lambda resource policies) are not centrally listed in IAM “Policies” in the Console; instead, they are managed from the respective resource consoles (e.g., via the S3 or Lambda management screens).
The IAM Console does not display resource-based policies in the Policies list, since these are stored on resources, not IAM identities.
To summarize, only identity-based policies—managed and inline—are listed in the IAM policies view in the AWS Console. Resource-based policies are managed and reviewed from the console page of each AWS service resource
---
No comments:
Post a Comment