Skip to main content


Showing posts from March, 2019

IAM Policies in a nutshell

A Policy is 'Deny' by default Types of Policies: 1. SCP- SCP or Service control polcies. AWS Organizations use this kind of policies.For example, Guardrails to disable service access on the principals in the account. 2. IAM- Permission Policies and Permission Boundaries- Granular permissions on IAM principles (users and roles) and control maximum permissions they can set. 3. AWS STS- Security Token Service- Reduce general shared permissions further 4. Resource based policies: Cross-account access and to control from the resource 5. Endpoint polices- generally attached with VPCs- Control access to the service with a VPC endpoint. How all these policies work together- within an account: SCP AND [IAM policies OR Resource based policies]- If both policies match- then the matched action will be allowed, otherwise denied. How all these policies work together- across accounts: SCP AND [IAM policies AND Resource based policies]- All the 3 must have the same actions matched- the action