AWS IAM: Identity-Based vs Resource-Based Policies and Conflict Resolution

·

2 min read

1. Identity-Based Policy

  • Definition: Attached to users, groups, or roles.

  • Purpose: Defines what actions the entity can perform on specific resources.

  • Example: Allow MarketingTeam IAM group to perform rds:DescribeDBInstances.

  • Key Point: Specifies actions for users, groups, or roles.

  • Policy Example

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "arn:aws:rds:region:account-id:db:db-instance-id"
        }
    ]
}
  • Grants MarketingTeam group members permission to view RDS instance details.

2. Resource-Based Policy

  • Definition: Attached directly to AWS resources.

  • Purpose: Controls who can access the resource and what actions they can perform.

  • Example: Allow DevOps IAM role to perform s3:PutObject on an S3 bucket.

  • Key Point: Controls resource access by users or services.

  • Policy Example

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:role/DevOps"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
  • Allows DevOps role to upload objects to a specific S3 bucket

3. Identity-Based Policy vs Resource-Based Policy

  • Identity-Based Policy:

    • Attached To: IAM users, groups, roles.

    • Purpose: Defines what the entity can do on AWS resources.

  • Resource-Based Policy:

    • Attached To: Specific AWS resources (e.g., S3 buckets).

    • Purpose: Controls access to the resource, defining who can perform actions.

4. Conflict Resolution: Identity-Based vs Resource-Based Policies

  • What happens when an identity-based policy and a resource-based policy conflict?

    • Example:

      • Resource-Based Policy: Denies John from deleting objects (s3:DeleteObject) in an S3 bucket.

      • Identity-Based Policy: Allows John to delete objects in the same S3 bucket.

  • Resolution Rules:

    1. Explicit Deny: Always takes precedence over any Allow. If a resource-based policy denies an action, it cannot be performed, regardless of what the identity-based policy states.

    2. Explicit Allow: Applies only if there is no conflicting Deny.

    3. Default Deny: If no policy explicitly allows the action, it is denied by default.

  • Example Result:

    • Outcome: John cannot delete objects in the S3 bucket, because the resource-based policy explicitly denies this action, which overrides the identity-based policy's allowance.