An
IAM policy is a formal statement of permissions that will be granted to an
entity. Policies can be attached to any IAM entity. Entities include users,
groups, roles, or resources. For example, you can attach a policy to AWS
resources that will block all requests that do not come from an approved
Internet Protocol (IP) address range. Policies specify what actions are
allowed, which resources to allow the actions on, and what the effect will be
when the user requests access to the resources.
The
order in which the policies are evaluated has no effect on the outcome of the
evaluation. All policies are evaluated, and the result is always that the
request is either allowed or denied. When there is a conflict, the most
restrictive policy applies.
There are two types of IAM policies.
1. Identity-based
policies are permissions policies that you can attach to a principal (or
identity) such as an IAM user, role, or group. These policies control what actions
that identity can perform, on which resources, and under what conditions.
Identity-based policies can be further categorized as:
•
Managed policies – Standalone identity-based policies that you can attach to
multiple users, groups, and roles in your AWS account
•
Inline policies – Policies that you create and manage, and that are embedded
directly into a single user group or role.
2. Resource-based policies are JSON policy documents that you attach to
a resource, such as an S3 bucket. These policies control what actions a
specified principal can perform on that resource, and under what conditions.
No comments:
Post a Comment