AWS IAM Roles and Policies: All you need to know.

Amazon Web Services — One of the widely used cloud platforms has more than 100 services. From web development to Artificial Intelligence, AWS plays a significant role.

In this time where cloud platforms have a huge impact on software development, one of the important aspects is the security of cloud system.

To handle this AWS provides a service known as AWS IAM — Identity and Access Management. AWS IAM is responsible to allow management of users, groups and other services using roles and policies.

In this article, we will see how the roles and policies work and what is the Least Privilege principle used in AWS IAM.

Photo by Growtika on Unsplash

AWS Roles

AWS provides us with tons of services like Lambda, EC2, S3 and many more. Each service has a role that is attached to it which defines the policies (discussed below) that provides permissions of what this service is allowed/denied to do.

Let us consider an example.

There is a lambda function (named json-handler) that writes a JSON to S3 bucket (json_files).

There must be a role often called as json-handler-role that is attached to this function.

AWS Policy

Continuing the above example, the role json-handler-role must have the permission to write to the S3 bucket otherwise, the lambda won’t be able to perform the write operation to S3 bucket.

Here is the example of the policy:

{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
    {
      "Sid": "WriteFileToS3",
      "Principal": "arn:aws:lambda:aws-region:account-id:function:json-handler",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::json_files/*"
    }
  ]
}

Let’s look at the policy in detail:

1. Version: Specifies the policy date/number. Used for tracking the updates of the policy.
2. Id: Unique identifier of the policy. Used to identify the policy document.
3. Statement: This is the array of objects that define the permissions. The details of a statement object is as follows:
   a. Sid: S ID or statement ID is the unique identifier for a statement in. the policy document.
   b. Principal: The ARN of the resource on which the statement applies. In our case it is the json-handler lambda function.
   c. Effect: Whether the permission/access is ‘Allow’ or ‘Deny’. It can be used to deny access for the bucket as well. In our case we keep it as ‘Allow’ because we want to Allow Access to the bucket.
   d. Action: Defines what action is to be performed. In our case, we want to allow PutObject to S3 bucket. There can be multiple actions separated by a comma.
   e. Resource: The actual resource on which the action is performed. In our case PutObject must be allowed to json_files bucket only.
   f. Condition: The condition element in IAM allows to define conditions under which permissions in the policy statement apply. E.g. if you wish to write to the bucket just in case when request is from a particular IP address.

Note: If you want to allow ‘anyone’ to perform the action, you can set Principal to *. This will allow anything to access the S3 bucket. If you want to allow action to be performed on any resource, you can set Resource to *.
Example: in our case if Principal is set to * any lambda function or any other resource can access this bucket. Whereas if resource is set to * then the lambda json_handler can write to any S3 bucket.

Note: There can be multiple statements in a policy document that can define permissions for various services.

Principle of Least Privilege

The most important thing while adding policies/permissions in IAM is the Least Privilege principle.

It says “Grant the most necessary permissions only”.

While adding the permissions to a resource in AWS, make sure that there are no extra permissions added. This helps in securing the resource and also helps reducing overhead of understanding the ‘Why?’ factor to other people.

Example in our case, we have added just the S3 permissions to the lambda only. Though, once we run it, we might require CloudWatch permissions to write logs.

Always take care of the Least Privilege Principle.

Conclusion

By end of this article, I hope that I am able to clarify the roles and policies of the AWS IAM. Plus, the Least Privilege principle will definitely help securing/maintaining the cloud.

As you might have noticed, in this article I have talked about Roles and Permissions that work on the AWS Services only. In the upcoming article, we will talk about how to add permissions for users and user groups, what are access keys and best practices for AWS IAM at the user’s end.

Stay tuned, follow me on LinkedIn: https://linkedin.com/in/erneelesharora