AWS IAM Policies in a Nutshell (jcolemorrison.com)
20 points by colemorrison 1 hour ago | hide | past | web | 5 comments | favorite





Q: do you apply policy on roles, resources, or both? How do you maintain mental sanity?

We use 1 base policy + 1 policy/role, and so for each role it's easy to see what are its permissions.

We have no policy on resources, so it's hard, e.g., given a bucket to know who has access to it. We're building tooling for that.

Isn't the "Principal" element only a part of S3 permission policies, not IAM? In IAM the "principal" is implied, it's the user to which the policy is attached. Edit: I see you explain well into the article, but I believe the title of the article could be improved.

Yeah, I mention that in the "Who" aka Principal section. It's like that for any resource based policy (i.e. like S3). So IAM Users/groups have it implied, but Resource based ones like S3 do not have it implied.

The thing is, an S3 bucket policy is not an IAM policy. It's a bucket policy. They use the same language, format, and syntax, but they are not called the same thing.

Indeed, they're just a "resource" policy. They're still talked about and share the so many same attributes that it became more character saving to say AWS IAM Policies vs. AWS IAM, S3, SNS, SQS, Glacier Policies =P

