2.1.6 Define Permissions for IAM Principals
IAM Policy Evaluation & Permissions
Policy Evaluation Logic
1. Explicit Deny → DENY (luôn thắng)
2. SCP (Organization) → Allow?
3. Resource-based policy → Allow?
4. Permission boundary → Allow?
5. Identity-based policy → Allow?
6. Default → DENY (implicit deny)
Policy Types
| Type | Gắn vào | Use Case |
|---|
| Identity-based | User, Group, Role | Permissions cho principal |
| Resource-based | Resource (S3, Lambda, SQS) | Cross-account access, direct grant |
| Permission boundary | IAM User/Role | Max permissions limit |
| Session policy | STS session | Temporary restrictions |
| SCP | Organization OU/Account | Guardrails cho toàn account |
Identity-based Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"s3:prefix": ["home/${aws:username}/*"]
}
}
}
]
}
Permission Boundary
- Giới hạn maximum permissions mà identity-based policy có thể grant
- Effective permissions = Identity policy ∩ Permission boundary
- Use case: Cho phép developers tự tạo roles nhưng giới hạn scope
Resource-based Policy
- Gắn trực tiếp vào resource (S3 bucket policy, Lambda resource policy)
- Cho phép cross-account access không cần AssumeRole
- Principal field xác định ai được access
Policy Variables
| Variable | Mô tả |
|---|
${aws:username} | IAM username |
${aws:userid} | Unique user ID |
${cognito-identity.amazonaws.com:sub} | Cognito identity ID |
${aws:SourceIp} | Request source IP |
Exam Tip: Explicit Deny luôn thắng. Permission boundary = max limit. Resource-based policy cho cross-account không cần AssumeRole. Policy variables cho dynamic permissions.