Using Identity-based policies on AWS | Harsh Patel

Using Identity-based policies on AWS

Hey! AWS, assign my IAM user access to billing. Well, Alexa might respond to you that way but that’s not how things work over AWS.

In cloud-based services, you often need to ask for permission when you require it because AWS recommends something known as Principle of least privilege (PoLP) or Least privilege Access, which means that a user is given the minimum access needed to perform his/her tasks. So AWS provides Identity-based policies that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions. How to do that? let’s find out!

Identity-based policies are JSON permissions policy documents that you can define in AWS, it can be further categorized into

  1. Managed policies
  2. Inline policies

You need to understand both, So you can use them effectively.

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. Based on how that policy is managed it can be further classified into

  1. AWS managed policies
  2. Customer managed policies

AWS managed policies are created and managed by AWS whereas Customer managed policies are created and managed by customers which makes it more customizable and thus offering more control over the policy.

AWS managed policies

Using AWS manages policies are straightforward, go to IAM > Users > “Your desired IAM user”

Selecting IAM user

Click on Add permissions to provide permission to your IAM user

Add permissions to IAM user

We can Attach existing policies directly, look for the desired policies with Type as AWS managed

Select AWS manages policy

Review the policy and Add permissions

Review the policy

You’ll be able to see the recently attached AWS managed policy in the list

AWS manages policy attached to IAM user

Customer managed policies

Similarly, we can create a policy and attach it to existing IAM users, go to

IAM > Policies > Create Policy

Create a Customer managed policy

Now, we have two options to create a policy either using Visual editor or JSON (Visual editor can be used if you are not familiar with JSON).

Select desired Services and Actions for the policy, I am using read-only access for Billing as a reference here.

Select Services and Actions

I currently don’t need Resources to be selected due to Service type (You must select it if your service requires, either All Resources or Specific Resources) and I don’t wish to add any additional Request conditions.

You can add tags if you want them to be identified via tags

using tags to the policy

Review your policy (add a Name and Description)

Review the policy

Once done, you’ll be able to select your recently created policy under IAM > User > “Your desired IAM user” > Add permissions > Attach existing policies directly > “Serch for your created policy name”

Select your Customer managed policy

Review your Policy to be attached

Review the policy

Add permissions and the policy will be attached to the IAM user

The attached policy being displayed

Let’s proceed with Inline policies and understand the process.

Inline policies are one-to-one policies that can be added directly to a single user, group, or role. Gets deleted when you delete the identity.

To begin with, go to

IAM > Users > “Your desired IAM user” > Add inline policy

Adding inline policy

Similar to the Customer managed policy, you can choose to create a policy with Visual Editor/JSON.

Brownie Info: While creating the policy with Visual editor, the JSON Tab also gets auto-filled with the required JSON data.

Sample of JSON data (Ignore this, it’s just for your information)

Choose Services and Actions (this time I am using IAM (List-Read) service for reference)

Selecting Services and Actions

I’ll select All resources while you can also select specific resources if you want

Selecting resources in the policy

I also want it to have MFA, So I have added it under Request conditions (Just to give you an example of how Request condition can be included)

Selecting Request conditions

Give a name and review your policy

Review the policy

Your inline policy will get listed with other attached policies

The inline policy listed with other attached policies

With that being said, You’ve now aced the Identity-based policy on AWS. There are still more policies and permissions that AWS offers that you can find on the official AWS documentation website. Until next time 😉

I am an Rookie scaling vertically as an Veteran. Learning Cloud and DevOps technologies because “It ran on my machine” excuse doesn’t work anymore.