How to Manage IAM Security Policies
In this guide we will describe how to define, create and attach a policy to a users’ group. Policy is used to grant access permission to user, group or role so to AWS resources based on specific rules. To give a particular IAM entity a permission, you need to write a policy according to the access policy language IAM uses and then attach the policy to the related AWS entity. In case of a group the group users’ inherits the group policy. You can attach more than one policy to a group or user.
Lets start with setting a policy for a group:
1. Login to your AWS account and enter the IAM console.
2. Select the Group from left navigation menu. In the group select ‘Permissions’ tab as shown below.
3. The permission tab will list the existing policies attached to Group. Press ‘Attach Another policy’.
4. Select the entity for which you want to grant access. In this example we selected ‘Cloudfront Full Access’, this will list the policy definition in JSON language. Modify the policy as needed.
5. Select Apply policy once your policy is defined.
6. This will add another policy to group. As shown above, the Group testIAMGrp has now two policies. One for EC2 Read and one for Cloudfront full access.
7. Now we will modify he policy for a user.
8. A user normally inherits all the policy of the group it belongs to. As shown below, the user testIAMUser1, inherits group policy of the testIAMGrp.
9. We can assign the individual policy to a user. Select ‘Attach User Policy’ from ‘Permissions’ tab of a user.
10. It will ask to select the policy.
11. For the user we will use ‘Policy Generator’ instead of selecting from standard template. You can also attach your custom policy I JSON format to a user.
12. Select the AWS service for which you want to grant access. We have selected ‘Allocate Address’ and ‘Associate Address’ policy for this user.
13. Once you select the actions, press ‘Add Statement’.
14. It will add the two actions to the list of policies. As shown below. We will also select two more policies ‘Attach Volume’ & ‘Bundle Volume’.
15. Once you select new actions add them to statement, Press Continue. It will list the policy definition. You can modify the policy in JSON language.
16. Once you apply policy it will be added to user.
17. As shown below, the user has group policy as well individual policy. Press show policy to view the policy.
18. The above displays the policy we defined in JSON language.
In the next steps we will attach policy through command line.
19. We need to create a policy in JSON format. We have defined the policy for full RDS access in JSON format. Name the file as RDSFullAccess.txt
20. Run the command iam-groupuploadpolicy -g testIAMGrp -p RDSFUll -f C:\AWS\RDSFullAccess.txt. This will add the policy defined in RDSFullAccess.txt to group testIAMGrp.
List the policy with iam-grouplistpolicies –g testIAMGrp.
21. Add policy to individual user. Let’s define policy in command line only instead of creating a separate file.
iam-useraddpolicy -u testIAMUser2 -p AdminRoot -e Allow -a “*” -r “*” –o.
22. List the policy assigned to user through iam-userlistpolicies -u testIAMUser2.
Related How-to Guide: IAM How-to: Setting up AWS IAM CLI Tool on Windows
Keywords: Amazon AWS cloud, IAM, Security, Read only, User permissions, Authentication Policy, IAM Policy Management, IAM rules, AWS Console, RDS, Access Premission Management