Amazon Web Services (AWS) - Understanding Policies
by
Jeremy Canfield |
Updated: October 02 2023
| Amazon Web Services (AWS) articles
A policy is kind of like a firewall, in that it is a control that is used to allow or deny users to perform certain actions. For example, a policy could be used to.
- Allow users to create an S3 Bucket
- Deny users from being able to modify a load balancer
Policy are defined in JSON. For example, here is the JSON that would be used to allow users to mount an Elastic File System (EFS) and to add files to the Elastic File System.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0d1500aa4f4b50839",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
The aws iam attach-user-policy command can be used to attach a policy to a users account.
aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
The Terraform aws_iam_policy_document data module can be used to set a policy that will be used by some other Terraform module. For example, the aws_iam_policy_document and aws_efs_file_system_policy modules could be used to attach a policy to an Elastic File System (EFS).
resource "aws_efs_file_system" "my-efs" {
creation_token = "my-efs"
encrypted = true
tags = {
Name = "my-efs"
Role = "AWS EFS File Storage"
}
}
data "aws_iam_policy_document" "efs_policy" {
statement {
actions = [
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientWrite",
]
effect = "Allow"
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_efs_file_system.my-efs.arn]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["true"]
}
}
}
resource "aws_efs_file_system_policy" "policy" {
file_system_id = aws_efs_file_system.my-efs.id
policy = data.aws_iam_policy_document.efs_policy.json
}
Did you find this article helpful?
If so, consider buying me a coffee over at