📜 AWS 118: Setting the Rules - Creating a Custom IAM Policy

🛡️ IAM Policies: The Fine Art of Access Control

Hey Cloud Gatekeepers! 👋

Welcome to Day 18 of the #100DaysOfCloud Challenge: Create IAM Policy! We are diving deeper into the Identity and Access Management service with KodeKloud Engineer.

In previous tasks, we created users and groups. But a group or user without a Policy is like a person with a key but no map they can get into the building, but they don't know which doors they are allowed to open.

Our mission today: Create a custom IAM policy named iampolicy_mark that provides Read-Only access to the EC2 console.

---

1. Introduction: What is an IAM Policy? 💡

An IAM Policy is a JSON document that defines permissions. It answers the question: "Can this user perform this specific action on this specific resource?"

• Managed Policies vs. Custom Policies: AWS provides "Managed Policies" (like ReadOnlyAccess), but sometimes you need to build your own "Customer Managed Policy" to be more specific.
• The "Mark" Requirement: Our policy needs to allow users to view (but not change) three things:
  1. EC2 Instances
  2. AMIs (Amazon Machine Images)
  3. Snapshots
• Why it Matters: This is perfect for an auditor or a junior dev who needs to see the status of the infrastructure without the risk of accidentally deleting or stopping a server.

---

2. Step-by-Step Guide: Creating iampolicy_mark

We will use the Visual Editor in the AWS Console, which makes creating JSON policies much easier.

Step 2.1: Navigate to Policies

1. Log in to the AWS Console.

1. Search for IAM and open the dashboard.

1. In the left sidebar, under "Access management", click on "Policies".

Step 2.2: Start Creation

1. Click the orange "Create policy" button.

Step 2.3: Use the Visual Editor

1. Service: Search for and select EC2.
2. Actions: Under "Access level", look for the "List" and "Read" categories.
   • To meet our requirements, we need permissions like DescribeInstances, DescribeImages (for AMIs), and DescribeSnapshots.
   • Pro-Tip: You can search for "Describe" and select the relevant viewing permissions.
3. Resources: Select "All resources" (this allows the user to see all instances and snapshots in the account).

Step 2.4: Name and Review

1. Click "Next".
2. Policy name: Enter iampolicy_mark.
3. Description: Enter Read-only access to EC2 instances, AMIs, and snapshots.
4. Review the permissions summary to ensure only "Read" and "List" levels are granted.

Step 2.5: Create Policy

1. Click "Create policy".

Success! Your custom policy iampolicy_mark is now ready to be attached to users or groups. 🎉

---

3. Key Takeaways 📝

• Global Service: IAM Policies are created once and can be used globally across all regions.
• JSON Foundation: Behind the visual editor is a JSON document. As you get more advanced, you'll likely write these manually or use Infrastructure as Code (Terraform/CloudFormation).
• Least Privilege: By creating a specific policy instead of using AdministratorAccess, you significantly reduce your "Blast Radius" in case of a credential leak.

---

4. Common Mistakes to Avoid 🚫

1. Confusing "List" vs "Read": "List" allows you to see that an object exists; "Read" usually allows you to see the details/tags of that object.
2. The "Star" (*) Hazard: Avoid using Action: "ec2:*" unless you want to give full control. Always specify the action.
3. Forgetting to Attach: Creating a policy doesn't do anything by itself! You must attach it to a User, Group, or Role for it to take effect.

---

5. Conclusion + Call to Action! 🌟

You've successfully authored a security document! This is a major step in becoming a cloud security professional. Now the Nautilus team can safely grant "view-only" access to the right people.

How is your 100 Days of Cloud Challenge going? 🛡️

• 💬 Let’s connect on LinkedIn: Do you prefer using the Visual Editor or writing JSON policies from scratch? 👉 Hritik Raj
• ⭐ Support my journey on GitHub: Follow the full project and task breakdown. 👉 GitHub – 100 Days of Cloud