IAM Policies and Resource Policies

IAM and Resource Policies are the core of access control in AWS. They define who can access AWS resources, what actions they can perform, and under what conditions.

Managing IAM Policies and Resource Policies ensures

Least Privilege Access – Users and applications only get the permissions they need.
Security Compliance – Prevents unauthorized access to sensitive AWS resources.
Multi-Account Security – Controls access across AWS Organizations and accounts.
Granular Access Control – IAM Policies define permissions at the identity level, while Resource Policies secure specific resources.

Key Concepts: IAM vs. Resource Policies

Policy Type

Purpose

Where It Is Applied?

Example

IAM Policies (Identity-Based)

Grants permissions to IAM Users, Groups, or Roles.

Attached to IAM Users, Groups, or Roles.

SecureCart’s EC2 instance role allows access to S3.

Resource Policies

Controls who can access a specific AWS resource.

Attached directly to an AWS resource (e.g., S3 bucket, Lambda function, KMS key).

SecureCart allows only the payments team to access a KMS key.

Permission Boundaries

Defines the maximum permissions an IAM User or Role can have.

Applied to IAM Roles and IAM Users.

SecureCart developers can only create resources within a defined boundary.

Service Control Policies (SCPs)

Restricts permissions across multiple AWS accounts in an Organization.

Applied at the AWS Organizations level.

SecureCart prevents IAM Users from being created in production.

Session Policies

Temporary policies applied during an AWS session.

Used in STS AssumeRole calls.

SecureCart applies fine-grained permissions to temporary access tokens.

Access Control Lists (ACLs)

Grants permissions at the object level in S3 or networking resources.

Applied at the S3 bucket object level and VPC networking (NACLs).

SecureCart allows a specific AWS account to access certain objects in an S3 bucket.

Understanding IAM Policies (Identity-Based Policies)

IAM Policies define who (IAM user, role, or group) can do what (actions) on which resources, and under what conditions.

IAM Policy Structure (JSON Format)

IAM Policies follow a JSON format with key elements:

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::securecart-orders"
    }
  ]
}

Key Elements Explained:

Effect → Allow or Deny.
Action → Specifies AWS API operations (e.g., s3:ListBucket).
Resource → Defines which AWS resources the policy applies to.
Condition (Optional) → Adds conditions to the policy (e.g., allow access only from specific IPs).

Best Practices for IAM Policies

Use IAM Roles instead of IAM Users for permissions.
Follow least privilege by granting only necessary permissions.
Use AWS Managed Policies when possible.
Enable IAM Access Analyzer to detect overly permissive policies.

Section 5: Common IAM Policy Mistakes & Fixes

Common Mistake

Best Practice

❌ Using * in Action & Resource

✅ Follow least privilege principle by specifying only necessary actions/resources.

❌ Assigning policies to IAM Users directly

✅ Use IAM Roles instead for better security.

❌ Not enforcing encryption in resource policies

✅ Enforce KMS encryption on S3, DynamoDB, and EBS volumes.

❌ Using overly permissive wildcard (*) in SCPs

✅ Define specific restrictions in SCPs instead of broad denies.

📌 Hands-On Lab: Implement IAM & Resource Policies for SecureCart

🎯 Goal: ✅ Create an IAM Role with an IAM Policy to allow access to S3. ✅ Attach a Resource Policy to an S3 bucket to restrict access. ✅ Use SCPs to enforce security controls across AWS Organizations.

📌 Summary

Concept

AWS Service

Best Practice

Identity-Based Policies

AWS IAM Policies

Assign policies to IAM Roles instead of IAM Users.

Resource-Based Policies

S3, KMS, Lambda Policies

Restrict access directly at the resource level.

Permission Boundaries

IAM Permission Boundaries

Control max permissions for IAM Users/Roles.

SCPs

AWS Organizations

Restrict actions across all accounts.

✅ Following these best practices ensures that SecureCart applications remain secure and compliant.

SecureCart Use Case: Managing IAM Policies and Resource Policies

Business Context

SecureCart is an e-commerce platform that processes customer orders, manages inventory, and handles sensitive payment information. To protect its infrastructure, SecureCart must implement strict identity and access controls using IAM Policies and Resource Policies while ensuring compliance with security best practices.

📌 Security Challenges for SecureCart

🔹 Protect customer data and prevent unauthorized access to AWS resources. 🔹 Ensure developers and services have only the required permissions (least privilege). 🔹 Prevent accidental exposure of AWS resources (e.g., public S3 buckets, excessive IAM permissions). 🔹 Restrict access to production environments while allowing flexibility in development and testing. 🔹 Ensure compliance with internal security policies and industry regulations.

📌 How SecureCart Uses IAM Policies & Resource Policies

Requirement

Solution

SecureCart Implementation

Limit developer access to specific resources

IAM Policies (Identity-Based)

Developers have an IAM Role with restricted S3 access (no delete permissions).

Prevent unauthorized API calls to AWS services

IAM Role Policies

Lambda functions are assigned an IAM Role with least privilege instead of using static credentials.

Secure access to production vs. dev environments

IAM Policies + Permission Boundaries

SecureCart applies IAM Policies restricting access to production accounts.

Prevent S3 buckets from being publicly accessible

S3 Bucket Resource Policy

A Resource Policy denies all public access unless explicitly granted.

Ensure only SecureCart’s AWS accounts access sensitive data

S3 and KMS Resource Policies

SecureCart’s S3 and KMS keys only allow access from whitelisted accounts.

Restrict what AWS services teams can use

Service Control Policies (SCPs)

SCPs prevent non-compliant actions, such as launching unapproved instance types.

📌 IAM Policy Use Case: Least Privilege for Developers

SecureCart wants to ensure that developers can access logs but cannot delete them.

✅ IAM Role Policy for Developers (Allows Read-Only Access to Logs, No Deletion)

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::securecart-logs",
        "arn:aws:s3:::securecart-logs/*"
      ]
    },
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::securecart-logs/*"
    }
  ]
}

📌 Impact: Developers can view and retrieve logs, but they cannot delete logs, preventing accidental loss of critical data.

📌 Resource Policy Use Case: Restricting S3 Bucket Access

SecureCart stores customer invoices in an S3 bucket and needs to prevent unauthorized external access.

✅ S3 Bucket Policy to Block Public Access & Require IAM Authentication

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::securecart-invoices",
        "arn:aws:s3:::securecart-invoices/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

📌 Impact: ✅ Blocks all unauthenticated users from accessing the bucket. ✅ Forces the use of HTTPS for secure data transmission.

📌 SCP Use Case: Preventing IAM User Creation in Production

SecureCart wants to enforce a rule that prevents IAM Users from being created in the production environment.

✅ SCP Applied at AWS Organization Level (Denies IAM User Creation in Production Accounts)

jsonCopyEdit{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "iam:CreateUser",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:iam::*:root"
        }
      }
    }
  ]
}

📌 Impact: ✅ Prevents SecureCart’s AWS accounts from allowing IAM Users, enforcing best practices of using IAM Roles instead.

📌 Key Takeaways for SecureCart

🔹 IAM Policies control what actions users and roles can perform. 🔹 Resource Policies restrict who can access specific AWS resources. 🔹 SCPs enforce security policies across SecureCart’s AWS Organizations. 🔹 SecureCart applies least privilege principles to minimize security risks

Last updated 1 year ago