AWS IAM: Identity-Based vs Resource-Based Policies and Conflict Resolution
1. Identity-Based Policy
Definition: Attached to users, groups, or roles.
Purpose: Defines what actions the entity can perform on specific resources.
Example: Allow
MarketingTeam
IAM group to performrds:DescribeDBInstances
.Key Point: Specifies actions for users, groups, or roles.
Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "arn:aws:rds:region:account-id:db:db-instance-id"
}
]
}
- Grants
MarketingTeam
group members permission to view RDS instance details.
2. Resource-Based Policy
Definition: Attached directly to AWS resources.
Purpose: Controls who can access the resource and what actions they can perform.
Example: Allow
DevOps
IAM role to performs3:PutObject
on an S3 bucket.Key Point: Controls resource access by users or services.
Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:role/DevOps"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
- Allows
DevOps
role to upload objects to a specific S3 bucket
3. Identity-Based Policy vs Resource-Based Policy
Identity-Based Policy:
Attached To: IAM users, groups, roles.
Purpose: Defines what the entity can do on AWS resources.
Resource-Based Policy:
Attached To: Specific AWS resources (e.g., S3 buckets).
Purpose: Controls access to the resource, defining who can perform actions.
4. Conflict Resolution: Identity-Based vs Resource-Based Policies
What happens when an identity-based policy and a resource-based policy conflict?
Example:
Resource-Based Policy: Denies
John
from deleting objects (s3:DeleteObject
) in an S3 bucket.Identity-Based Policy: Allows
John
to delete objects in the same S3 bucket.
Resolution Rules:
Explicit Deny: Always takes precedence over any Allow. If a resource-based policy denies an action, it cannot be performed, regardless of what the identity-based policy states.
Explicit Allow: Applies only if there is no conflicting Deny.
Default Deny: If no policy explicitly allows the action, it is denied by default.
Example Result:
- Outcome:
John
cannot delete objects in the S3 bucket, because the resource-based policy explicitly denies this action, which overrides the identity-based policy's allowance.
- Outcome: