Using Identity-based policies on AWS
Hey! AWS, assign my IAM user access to billing. Well, Alexa might respond to you that way but that’s not how things work over AWS.
In cloud-based services, you often need to ask for permission when you require it because AWS recommends something known as Principle of least privilege (PoLP) or Least privilege Access, which means that a user is given the minimum access needed to perform his/her tasks. So AWS provides Identity-based policies that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions. How to do that? let’s find out!
Identity-based policies are JSON permissions policy documents that you can define in AWS, it can be further categorized into
- Managed policies
- Inline policies
You need to understand both, So you can use them effectively.
Managed Policies
Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. Based on how that policy is managed it can be further classified into
- AWS managed policies
- Customer managed policies
AWS managed policies are created and managed by AWS whereas Customer managed policies are created and managed by customers which makes it more customizable and thus offering more control over the policy.
AWS managed policies
Using AWS manages policies are straightforward, go to IAM > Users > “Your desired IAM user”
Click on Add permissions to provide permission to your IAM user
We can Attach existing policies directly, look for the desired policies with Type as AWS managed
Review the policy and Add permissions
You’ll be able to see the recently attached AWS managed policy in the list
Customer managed policies
Similarly, we can create a policy and attach it to existing IAM users, go to
IAM > Policies > Create Policy
Now, we have two options to create a policy either using Visual editor or JSON (Visual editor can be used if you are not familiar with JSON).
Select desired Services and Actions for the policy, I am using read-only access for Billing as a reference here.
I currently don’t need Resources to be selected due to Service type (You must select it if your service requires, either All Resources or Specific Resources) and I don’t wish to add any additional Request conditions.
You can add tags if you want them to be identified via tags
Review your policy (add a Name and Description)
Once done, you’ll be able to select your recently created policy under IAM > User > “Your desired IAM user” > Add permissions > Attach existing policies directly > “Serch for your created policy name”
Review your Policy to be attached
Add permissions and the policy will be attached to the IAM user
Let’s proceed with Inline policies and understand the process.
Inline Policies
Inline policies are one-to-one policies that can be added directly to a single user, group, or role. Gets deleted when you delete the identity.
To begin with, go to
IAM > Users > “Your desired IAM user” > Add inline policy
Similar to the Customer managed policy, you can choose to create a policy with Visual Editor/JSON.
Brownie Info: While creating the policy with Visual editor, the JSON Tab also gets auto-filled with the required JSON data.
Choose Services and Actions (this time I am using IAM (List-Read) service for reference)
I’ll select All resources while you can also select specific resources if you want
I also want it to have MFA, So I have added it under Request conditions (Just to give you an example of how Request condition can be included)
Give a name and review your policy
Your inline policy will get listed with other attached policies
With that being said, You’ve now aced the Identity-based policy on AWS. There are still more policies and permissions that AWS offers that you can find on the official AWS documentation website. Until next time 😉
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord. Interested in Growth Hacking? Check out Circuit.
