AWScloud~30 mins

Policy evaluation logic in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Policy Evaluation Logic in AWS IAM

📖 Scenario: You are managing access control in AWS. You want to understand how AWS evaluates IAM policies to allow or deny actions on resources.Imagine you have a user who tries to perform an action, and AWS checks multiple policies to decide if the action is allowed.

🎯 Goal: Build a simple AWS IAM policy evaluation logic using JSON objects to represent policies and a function to decide if an action is allowed or denied based on these policies.

📋 What You'll Learn

Create a list of policy dictionaries with exact keys and values

Add a variable to specify the action to evaluate

Write a function that checks policies and returns 'Allow' or 'Deny'

Add the final call to the function with the action and policies

💡 Why This Matters

🌍 Real World

Understanding policy evaluation helps secure AWS resources by correctly setting permissions.

💼 Career

Cloud engineers and security specialists must know how IAM policies are evaluated to prevent unauthorized access.

Progress0 / 4 steps

Create the initial list of IAM policies

Create a list called policies with two dictionaries. The first dictionary has "Effect": "Allow" and "Action": "s3:GetObject". The second dictionary has "Effect": "Deny" and "Action": "s3:DeleteObject".

AWS

# Your code here

Need a hint?

Use a list with two dictionaries exactly as described.

Add the action to evaluate

Create a variable called action_to_check and set it to the string "s3:GetObject".

AWS

policies = [
    {"Effect": "Allow", "Action": "s3:GetObject"},
    {"Effect": "Deny", "Action": "s3:DeleteObject"}
]
# Your code here

Need a hint?

Set the variable exactly as shown.

Write the policy evaluation function

Define a function called evaluate_policies that takes action and policies as parameters. Inside, use a for loop with variables policy to iterate over policies. If policy["Action"] == action and policy["Effect"] == "Deny", return "Deny". After the loop, return "Allow".

AWS

policies = [
    {"Effect": "Allow", "Action": "s3:GetObject"},
    {"Effect": "Deny", "Action": "s3:DeleteObject"}
]
action_to_check = "s3:GetObject"
# Your code here

Need a hint?

Check for deny first, then allow by default.

Call the evaluation function

Call the function evaluate_policies with action_to_check and policies as arguments, and assign the result to a variable called result.

AWS

policies = [
    {"Effect": "Allow", "Action": "s3:GetObject"},
    {"Effect": "Deny", "Action": "s3:DeleteObject"}
]
action_to_check = "s3:GetObject"

def evaluate_policies(action, policies):
    for policy in policies:
        if policy["Action"] == action and policy["Effect"] == "Deny":
            return "Deny"
    return "Allow"
# Your code here

Need a hint?

Assign the function call result to result.