IAM - Policy evaluation 🛡️
Be secure by deafult! 🔒
Policy structure
🛡️ Principal: Attaching policy to?... Entity (users/resources)
🛡️ Action: Type of access allowed (Allow/Deny).
🛡️ Resources: Action will act on?...AWS Resources.
🛡️Condition: Under what condition/circumstances execute the defined actions on arn. Pro tip can make it most powerful as any of the Marvel characters.
🛡️ Sid: Each SID in policy is unique within a single policy.
{
"Statement": [
{
"Effect": "effect",
"Principal": "Entity",
"Action": "Allow/Deny",
"Resource": "arn",
"Condition": {
"condtion":{
"key":"value"
}
}
}
]
}
Policy evaluation Logic
Here is how it begins 👀
🛡️ Is the entity has deny permission by default?
ex: when we create an IAM user by default it has all deny permission.
Yes, it is:: Its a Deny!
Else goes next.
🛡️ On entity what all policies are applied, it considers all before it starts evaluating.
🛡️ It's quite possible to have a conflicting policy.
EX: Let's say there are two policies applied to an entity.
🔹 One defines allow - delete, list and add s3 bucket and
🔹 other says deny - delete s3 bucket.
🔹 Here as we can see there is allow - to delete and deny to delete as well... It's a conflict. So while evaluating it gives the first precedence to Deny's list...hence checking explicitly Deny's list and concludes it as Deny
🔹 Therefore, it doesn't not allow an entity to delete S3 bucket
🛡️ Once done with checking all deny's list, get started with allow list.
🔹 Check if any explicit allow ... the policy will be applied.
If no allow actions, it goes back to deny.
Ex: On entity, there is one policy attached i.e. get object (for S3)
will that entity be able to delete an object? add object? put object?
No
🔹 will that entity be able to download object? yes
Because, There is only explicitly one defined allow action...so by default rest, all actions are always denied.