Writing a JSON policy

In AWS, policies (other than ACL policies) are written as JSON documents. These are then attached to users, groups, roles, resources, or an AWS organizational unit. AWS provides a policy-generation tool, as well as a visual editor, which we can use from the console.

A policy document contains two parts, as follows:

  • Policy-wide information at the beginning of the document (this is optional)
  • One or more individual statements

This version is an example of policy-wide information. This is the policy document version that we are going to use. The 2012-10-17 version is the current version.

An individual statement is made up of the following elements:

  • Sid: This is a statement ID that can be used to distinguish between multiple statements in the policy document (this is optional).
  • Effect: This takes one of two values: ALLOW or DENY. This tells us whether the access to the resource is allowed or denied.
  • Action: The list of actions allowed or denied on the resource.
  • Resource: This specifies the resource on which the Effect and Action apply.
  • Principal: The user, role, account, or federated user for whom the action is allowed or denied for the stated resource. If the policy is being attached to a user, group, or role, this field is not required. In such a case, the user or role becomes the Principal automatically.
  • Condition: Here, you can specify the conditions under which the access should be allowed or denied. For example, we can allow access to a particular S3 bucket only if the request comes from a specific IP address. This field is optional.

Let's look at a few examples.

Here is a policy that allows the List Bucket operation on a bucket called mybucket:

{
     "Version": "2012-10-17",
      "Statement":
                {
                     "Effect": "Allow",
                       "Action": "s3:ListBucket",
                       "Resource": "arn:aws:s3:::mybucket"
               }
}

Now, let's take a look at a policy that has more than one statement. In this case, we will make up a policy that has two statements. You can then extrapolate it to a policy that can have more than two statements.

In the policy given next, we are providing permission to access CloudWatch for GetMetric Data and PutMetric Data. We are also providing permission for ListBucket for all S3 buckets in our account:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "VisualEditor0",
     "Effect": "Allow",
     "Action": [
       "cloudwatch:PutMetricData",
       "cloudwatch:GetMetricData",
     ],
   "Resource": "*"
  },
   {
     "Sid": "VisualEditor1",
     "Effect": "Allow",
     "Action": "s3:ListBucket",
     "Resource": "arn:aws:s3:::*"
   }
 ]
 }
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset