AWS IAM POLICIES Deep Dive
iamgroups #iamusers #iamroles #iampolicies
π This article is part of the AWS IAM Deep Dive series.
- Part 1: IAM Users Deep Dive
- Part 2: IAM Groups Deep Dive
- Part 3: IAM Roles Deep Dive
- Part 4: IAM Policies Deep Dive
PART 4: IAM POLICIES
aws #iam #devops #cloud
AWS IAM Policies Complete Guide
1. What is an IAM Policy?
An IAM Policy is a JSON document that defines permissions in AWS. Policies specify:
- Who can access (via users, groups, or roles)
- What actions can be performed
- On which resources (ARNs)
- Under what conditions (e.g., IP, MFA, tags)
They are the building blocks of access control in AWS, attached to identities (IAM users, groups, roles) or directly to resources (S3 buckets, KMS keys, etc.).
2. Core Characteristics of IAM Policies
Policy Types
- Managed Policies: AWS-managed or customer-managed, reusable across identities
- Inline Policies: Embedded directly into a user/group/role (one-to-one relationship)
Policy Document Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow" | "Deny",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": ["arn:aws:s3:::my-bucket/*"],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
}
Effect: Allow or Deny (explicit deny always wins)
Action: API operations (e.g., ec2:StartInstances)
Resource: Specific resources by ARN
Condition: Contextual restrictions
Policy Evaluation Logic
Start with default deny
Apply explicit denies
Apply explicit allows
- Common Problems With IAM Policies
π΄ Overly broad policies: Using Action:"" and Resource:""
π΄ Inline policies sprawl: Hard to manage since they are tied to a single identity
π΄ Policy size/limits: Limited to 6,144 characters; too many statements cause scaling issues
π΄ Lack of conditions: Granting access without MFA/IP conditions increases attack surface
π΄ Dependency confusion: Mixing AWS-managed and customer-managed policies without documentation
- Solutions and Best Practices Policy Management Use customer-managed policies instead of inline for reusability
Follow least privilege principle β grant only required actions on specific resources
Use IAM Access Analyzer to validate and detect broad access
Security Hardening
Add MFA requirements in conditions
Use tags & conditions for environment-based restrictions (e.g., Environment=Prod)
Avoid attaching AdministratorAccess except for break-glass scenarios
Lifecycle Management
Version and track policies with IaC (Terraform/CloudFormation)
Regularly run IAM Access Advisor to remove unused permissions
Review SCPs in AWS Organizations for org-wide boundaries
- Industry Examples Startup: Developers share a S3ReadWritePolicy (customer-managed) attached to a group; inline avoided
Enterprise: Hundreds of microservices β policies modularized per service; SCPs block public S3 buckets
Finance: MFA required for sensitive actions (ec2:TerminateInstances); quarterly compliance reviews
DevOps: Policies stored in Git, deployed via Terraform; CI/CD pipeline lints policies to prevent : mistakes
- Interview Questions on IAM Policies Basic Level What is an IAM Policy?
Difference between AWS-managed and customer-managed policies?
Inline policy vs. managed policy?
Intermediate Level
How does IAM policy evaluation logic work?
How would you enforce least privilege?
Why is Deny more powerful than Allow?
Advanced Level
How do you design scalable IAM policies across multiple AWS accounts?
How do SCPs and IAM policies interact?
How do you restrict actions to specific environments (dev vs. prod)?
- Hands-On Guide Pre-checks You must have IAM rights: iam:CreatePolicy, iam:AttachUserPolicy, etc.
Decide: inline or managed? AWS-managed or customer-managed?
Define scope: Actions, Resources, Conditions
Console Steps
Open IAM Console β Policies β Create policy
Choose Visual editor or JSON
Define actions (e.g., s3:GetObject)
Select resources (specific bucket ARN)
Add optional conditions (MFA, IP, tags)
Review and create
CLI Examples
# Create a customer-managed policy
aws iam create-policy \
--policy-name S3ReadOnlyPolicy \
--policy-document file://s3readonly.json
# Attach policy to a user
aws iam attach-user-policy \
--user-name dev-alice \
--policy-arn arn:aws:iam::123456789012:policy/S3ReadOnlyPolicy
# List policies attached to a group
aws iam list-attached-group-policies --group-name Developers
# Detach policy
aws iam detach-role-policy \
--role-name EC2AppRole \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
# Delete policy (cleanup)
aws iam delete-policy \
--policy-arn arn:aws:iam::123456789012:policy/S3ReadOnlyPolicy
Automation & Reporting
# Validate policy with Access Analyzer
aws accessanalyzer validate-policy \
--policy-document file://s3readonly.json \
--policy-type IDENTITY_POLICY
# List unused policies
aws iam list-policies --scope Local --only-attached=false
π Wrapping Up
IAM Policies are the foundation of AWS security.
By writing clear, reusable, and least-privileged policies, you can build strong guardrails for your environment.
π Remember:
Prefer managed over inline
Always validate with Access Analyzer
Automate with IaC for versioning and consistency
β Thanks for reading! If this helped, donβt forget to:
Leave a reaction and follow for more AWS/DevOps guides
Drop your questions or examples of policy misconfigurations
Share this with your team so everyone follows least privilege best practices
π Stay tuned for the next deep dive in this series!
Top comments (0)