Elements in the JSON Policy Structure in IAM
Identities in AWS
In AWS you manage access by creating policies and attaching them to an identity. The way that AWS thinks of the elements which interact with them is through IDENTITIES or AWS RESOURCES. The distinction is relevant because we need to break the conception of users. This identity centric way of working can be amplified if we understand that there are deferments identities: users, groups of users, and roles. We also have a special identity: AWS account root user. But I’m going to avoid make some specification about it because AWS “strongly recommend that you don’t use the root user for your everyday tasks.”
JSON policy document
When you decide to attach a policy to an identity is common that this policy is stored in AWS as a JSON document. Before the creation IAM can perform policy validation to help you to create an effective policy. So, you can avoid trying to create a policy with a syntax error or something similar.
The elements of a JSON policy document are the following:
- Effect: Allow or Deny.
- Resource: If you create an IAM permission policy, you must specify a list of resources.
- Action: list of actions that the policy allows or denies
Example:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}There are other elements you may include. They are optional, but advisable.
Sources: