Skip to main content


Showing posts from March, 2019

IAM Policies in a nutshell

A Policy is 'Deny' by default

Types of Policies:
1. SCP- SCP or Service control polcies. AWS Organizations use this kind of policies.For example, Guardrails to disable service access on the principals in the account.

2. IAM- Permission Policies and Permission Boundaries- Granular permissions on IAM principles (users and roles) and control maximum permissions they can set.

3. AWS STS- Security Token Service- Reduce general shared permissions further

4. Resource based policies: Cross-account access and to control from the resource

5. Endpoint polices- generally attached with VPCs- Control access to the service with a VPC endpoint.

How all these policies work together- within an account:

SCP AND [IAM policies OR Resource based policies]- If both policies match- then the matched action will be allowed, otherwise denied.

How all these policies work together- across accounts:

SCP AND [IAM policies AND Resource based policies]- All the 3 must have the same actions matched- the action will be …