AWScloud~5 mins

IAM policies (JSON structure) in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

IAM policies control who can do what in your AWS account. They are written in JSON and tell AWS which actions are allowed or denied on which resources.

When you want to give a user permission to access only specific AWS services.

When you need to restrict access to certain parts of your AWS resources for security.

When you want to allow an application to perform actions on AWS on your behalf.

When you want to create reusable permission sets for groups of users.

When you want to audit and control access to your AWS environment.

Config File - example-policy.json

example-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

Version: The policy language version.

Statement: A list of permissions.

Effect: Whether to allow or deny the actions.

Action: The AWS actions this policy allows or denies.

Resource: The specific AWS resources this policy applies to.

Commands

This command creates a new IAM policy named ExampleS3ReadOnlyPolicy using the JSON file example-policy.json. It defines permissions for S3 read-only access to a specific bucket.

Terminal

aws iam create-policy --policy-name ExampleS3ReadOnlyPolicy --policy-document file://example-policy.json

Expected OutputExpected

{ "Policy": { "PolicyName": "ExampleS3ReadOnlyPolicy", "PolicyId": "ABCDEFGHIJKLMN1234567", "Arn": "arn:aws:iam::123456789012:policy/ExampleS3ReadOnlyPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2024-06-01T12:00:00Z", "UpdateDate": "2024-06-01T12:00:00Z" } }

→

--policy-name - Sets the name of the new IAM policy.

→

--policy-document - Specifies the JSON file that contains the policy.

This command lists all customer-created IAM policies in your AWS account to verify the new policy was created.

Terminal

aws iam list-policies --scope Local

Expected OutputExpected

Policies: - ExampleS3ReadOnlyPolicy - AnotherCustomPolicy - MyTestPolicy

→

--scope - Filters policies to only those created in your account (not AWS managed).

Key Concept

If you remember nothing else from this pattern, remember: IAM policies are JSON documents that explicitly allow or deny actions on AWS resources.

Common Mistakes

Using incorrect JSON syntax in the policy document.

AWS will reject the policy because it must be valid JSON.

Always validate your JSON syntax before applying the policy.

Not specifying the correct resource ARN in the policy.

The policy will not apply to the intended resources, causing permission errors.

Use the exact ARN format for the AWS resource you want to control.

Forgetting to set the Effect to Allow or Deny.

The policy will be invalid without an Effect, so AWS will reject it.

Always include Effect with either "Allow" or "Deny" in each statement.

Summary

Create IAM policies as JSON files defining allowed or denied actions on AWS resources.

Use the AWS CLI to create and list policies to manage permissions.

Always validate JSON syntax and specify correct resource ARNs to avoid errors.