IAM policies are used to define permissions for your IAM entities such as users, groups, and roles. Each policy that you create consists of one or more statements that include the following elements:

• Effect: This element determines whether a policy statement allows or explicitly denies access to a particular IAM resource.
• Action: Actions are used to define AWS service actions within a policy, for example; you can specify Amazon S3 related actions such as list buckets, read or write to buckets, and so on.
• Resource: Resources are the AWS services or individual entities to which the actions apply.
• Condition: Conditions are used to define when a particular permission is allowed or denied on a resource. You can leverage one or more conditions to provide additional granular security to your AWS resources.

Once a policy is created, you essentially attach it to your resource which can be an IAM user, group or even a role. However, creating custom and granular IAM policies can prove to be a challenge at times especially if you are just getting started with AWS. To address this, AWS has provided a new and improved visual editor using which you can easily create customized policies on your own:

1. To get started with the visual editor, first log in to the IAM Management Console by selecting this URL https://console.aws.amazon.com/iam/home.
2. Once logged in, select the Policies option from the navigation pane. This will display a page that lists both the AWS Managed as well as the Customer Managed policies. To create a policy, simply select the Create policy option. For this scenario, let us create a simple S3 policy that grants full access to only a single folder present within an S3 bucket.
3. On the Create policy page, ensure that the Visual editor tab is selected and click on the Choose a service option to filter and pick out Amazon S3.

4. With the Service selected, next click on the Select actions options to add the appropriate actions for our policy. Here, you can select the appropriate Access levels for your resource by either opting to add the actions manually or even provide individual permissions by selecting the correct access rights from each individual Access levels. In this case, I have opted to select the entire List level for permissions and the s3:GetObject from the Read access level followed by the s3:PutObject, and the s3:DeleteObject permissions from the Write access level. Following is screenshot of the Actions selected for your reference:

5. Once completed, you can now select the Resources section to add either all or specific resources to your new set of permissions. In this case, we will add the set of permissions to a specific bucket called useast-prod-stuff-01. To do so, select the Add ARN option adjoining to the bucket field.
6. In the Add ARN(s) dialog box, type in the name of the selected bucket in the Bucket name field as depicted in the following screenshot. Once done, select Add to complete the process:

7. Once done, you can optionally choose to add permissions to an object level as well. Click on the Add ARN option adjoining the object field and fill in the required information as we performed in the previous steps. The only addition here is that you can provide an additional folder name in the Object name field for a more granular permission control. Once done, click on Add to complete the process. Here is a screenshot of the completed resource allocation for our policy:

8. With the permissions and the resources set, you can optionally choose to add Conditions as well to your policy. To do so, select the Specify request conditions option. Here you can opt to select and edit conditions that match your requirements. For example, for this particular policy, we want the user to access the particular S3 bucket only from within an organization's internal network. To do so, select the Source IP option and type in suitable IP range or a single IP address based on your organization's IP range.

9. You can also add additional conditions to your policy by selecting the Add request condition option. Here, you can customize and specify a granular condition using a combination of Condition key, Qualifier, and Operator as shown in the following screenshot:

Here, the condition will check and allow only a particular AWS IAM user with the username joe access to the S3 bucket. You can create your own custom conditions using the same approach and once done, click on Add to complete the process.

10. With the permissions, resources, and conditions in place, select the Review policy option to complete the policy creation process. Provide a suitable Name and an optional Description for your policy before selecting the Create policy option.

There you have it! Simple, wasn't it! You can use the same process to create highly customized and granular policies with relative ease. However, there is still one question that remains unanswered; how do we test and troubleshoot the policies without making any actual requests? That's exactly what the IAM Policy Simulator is all about!