9/1/25About 17 min
Chapter 04: IAM Policies Explained
Learning Objectives
- Master the JSON syntax structure of IAM policies
- Understand the use of policy elements and attributes
- Learn about condition blocks and condition operators
- Master policy variables and dynamic references
- Understand policy evaluation logic and priority
IAM Policy System Architecture
4.1 Basic IAM Policy Syntax
4.1.1 Policy Document Structure
Basic Policy Structure
IAM policies use JSON format and include the following basic elements:
- Version: The policy language version
- Statement: An array of permission statements
- Effect: Allow or Deny
- Action: The allowed or denied actions
- Resource: The resources the actions apply to
- Condition: Optional condition constraints
import boto3
import json
from datetime import datetime
def create_basic_policy_structure():
"""
Create examples of the basic structure of an IAM policy
"""
# Simplest policy structure
simple_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
# Complete policy structure
complete_policy = {
"Version": "2012-10-17",
"Id": "ExamplePolicy123", # Optional policy ID
"Statement": [
{
"Sid": "AllowS3ReadAccess", # Optional statement ID
"Effect": "Allow",
"Principal": { # Only used in resource-based policies
"AWS": "arn:aws:iam::123456789012:user/ExampleUser"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::example-bucket/*",
"arn:aws:s3:::another-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
},
"DateGreaterThan": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
}
}
}
]
}
print("📝 Simple policy structure:")
print(json.dumps(simple_policy, indent=2, ensure_ascii=False))
print("\n📝 Complete policy structure:")
print(json.dumps(complete_policy, indent=2, ensure_ascii=False))
return simple_policy, complete_policy
def validate_policy_syntax(policy_document):
"""
Validate the syntax of an IAM policy
"""
iam = boto3.client('iam')
try:
# Use the AWS IAM service to validate the policy syntax
response = iam.simulate_principal_policy(
PolicySourceArn='arn:aws:iam::123456789012:user/test-user',
ActionNames=['s3:GetObject'],
ResourceArns=['arn:aws:s3:::test-bucket/*'],
PolicyInputList=[json.dumps(policy_document)]
)
print("✅ Policy syntax validation passed")
# Check the simulation results
for result in response['EvaluationResults']:
decision = result['EvalDecision']
action = result['EvalActionName']
resource = result['EvalResourceName']
print(f" Action: {action}")
print(f" Resource: {resource}")
print(f" Decision: {decision}")
if 'MatchedStatements' in result:
print(f" Number of matched statements: {len(result['MatchedStatements'])}")
return True
except Exception as e:
print(f"❌ Policy syntax validation failed: {str(e)}")
return False
# Create and validate policy examples
simple_policy, complete_policy = create_basic_policy_structure()
validate_policy_syntax(simple_policy)4.1.2 Policy Elements Explained
def demonstrate_policy_elements():
"""
Demonstrate the use of various IAM policy elements
"""
# Version element
version_examples = {
"current": "2012-10-17", # Current version, recommended
"legacy": "2008-10-17" # Old version, not recommended
}
print("📋 Version description:")
for version_type, version_value in version_examples.items():
print(f" {version_type}: {version_value}")
# Effect element
effect_examples = {
"Allow": "Grant permission",
"Deny": "Explicitly deny permission (highest priority)"
}
print("\n📋 Effect types:")
for effect, description in effect_examples.items():
print(f" {effect}: {description}")
# Various formats for the Action element
action_formats = {
"Single action": "s3:GetObject",
"List of actions": ["s3:GetObject", "s3:PutObject"],
"Wildcard": "s3:*",
"Service wildcard": "*",
"Action family": "s3:Get*"
}
print("\n📋 Action formats:")
for format_type, example in action_formats.items():
print(f" {format_type}: {example}")
# Various formats for the Resource element
resource_formats = {
"Specific resource": "arn:aws:s3:::my-bucket/file.txt",
"Bucket": "arn:aws:s3:::my-bucket",
"Bucket contents": "arn:aws:s3:::my-bucket/*",
"List of resources": [
"arn:aws:s3:::bucket1/*",
"arn:aws:s3:::bucket2/*"
],
"Wildcard": "*",
"Partial wildcard": "arn:aws:s3:::my-*"
}
print("\n📋 Resource formats:")
for format_type, example in resource_formats.items():
print(f" {format_type}: {example}")
# Principal element (only for resource-based policies)
principal_formats = {
"AWS account": "arn:aws:iam::123456789012:root",
"IAM user": "arn:aws:iam::123456789012:user/UserName",
"IAM role": "arn:aws:iam::123456789012:role/RoleName",
"AWS service": "lambda.amazonaws.com",
"Anonymous user": "*",
"Federated user": "arn:aws:sts::123456789012:federated-user/UserName"
}
print("\n📋 Principal types:")
for principal_type, example in principal_formats.items():
print(f" {principal_type}: {example}")
# Create a comprehensive policy demonstrating various elements
comprehensive_policy = {
"Version": "2012-10-17",
"Id": "ComprehensivePolicyExample",
"Statement": [
{
"Sid": "AllowS3ReadAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-data-bucket",
"arn:aws:s3:::my-data-bucket/*"
]
},
{
"Sid": "AllowS3WriteToSpecificPrefix",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-data-bucket/user-uploads/*"
},
{
"Sid": "DenyDeleteBucket",
"Effect": "Deny",
"Action": "s3:DeleteBucket",
"Resource": "*"
},
{
"Sid": "AllowEC2ReadOnly",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
print("\n📝 Comprehensive policy example:")
print(json.dumps(comprehensive_policy, indent=2, ensure_ascii=False))
return comprehensive_policy
# Demonstrate policy elements
comprehensive_policy = demonstrate_policy_elements()4.2 Condition Blocks and Condition Operators
4.2.1 Condition Operators Explained
def demonstrate_condition_operators():
"""
Demonstrate various condition operators in IAM policies
"""
# String condition operators
string_conditions = {
"StringEquals": {
"description": "Exact string match",
"example": {
"aws:PrincipalTag/Department": "Finance"
}
},
"StringNotEquals": {
"description": "String not equal",
"example": {
"aws:PrincipalTag/Department": "Temp"
}
},
"StringLike": {
"description": "Wildcard pattern match",
"example": {
"s3:prefix": ["home/${aws:username}/*"]
}
},
"StringNotLike": {
"description": "Does not match wildcard pattern",
"example": {
"s3:prefix": ["restricted/*"]
}
}
}
# Numeric condition operators
numeric_conditions = {
"NumericEquals": {
"description": "Numeric equals",
"example": {
"s3:max-keys": "10"
}
},
"NumericNotEquals": {
"description": "Numeric not equal",
"example": {
"s3:max-keys": "100"
}
},
"NumericLessThan": {
"description": "Less than numeric value",
"example": {
"aws:MultiFactorAuthAge": "3600"
}
},
"NumericLessThanEquals": {
"description": "Less than or equal to numeric value",
"example": {
"s3:max-keys": "50"
}
},
"NumericGreaterThan": {
"description": "Greater than numeric value",
"example": {
"s3:object-size": "1024"
}
},
"NumericGreaterThanEquals": {
"description": "Greater than or equal to numeric value",
"example": {
"s3:object-size": "0"
}
}
}
# Date condition operators
date_conditions = {
"DateEquals": {
"description": "Date equals",
"example": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
}
},
"DateNotEquals": {
"description": "Date not equal",
"example": {
"aws:CurrentTime": "2024-12-25T00:00:00Z"
}
},
"DateLessThan": {
"description": "Date is earlier than",
"example": {
"aws:CurrentTime": "2024-12-31T23:59:59Z"
}
},
"DateGreaterThan": {
"description": "Date is later than",
"example": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
}
}
}
# Boolean condition operators
boolean_conditions = {
"Bool": {
"description": "Boolean value comparison",
"example": {
"aws:SecureTransport": "true",
"aws:MultiFactorAuthPresent": "true"
}
}
}
# IP address condition operators
ip_conditions = {
"IpAddress": {
"description": "IP address is within the range",
"example": {
"aws:SourceIp": ["203.0.113.0/24", "2001:DB8:1234:5678::/64"]
}
},
"NotIpAddress": {
"description": "IP address is not within the range",
"example": {
"aws:SourceIp": ["192.0.2.0/24"]
}
}
}
# ARN condition operators
arn_conditions = {
"ArnEquals": {
"description": "Exact ARN match",
"example": {
"aws:SourceArn": "arn:aws:s3:::my-bucket"
}
},
"ArnLike": {
"description": "ARN wildcard match",
"example": {
"aws:SourceArn": "arn:aws:s3:::my-*"
}
},
"ArnNotEquals": {
"description": "ARN not equal",
"example": {
"aws:SourceArn": "arn:aws:s3:::restricted-bucket"
}
},
"ArnNotLike": {
"description": "ARN does not match wildcard",
"example": {
"aws:SourceArn": "arn:aws:s3:::temp-*"
}
}
}
# Create a comprehensive policy with various conditions
condition_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StringConditions",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/Environment": "Production"
},
"StringLike": {
"s3:prefix": ["home/${aws:username}/*"]
}
}
},
{
"Sid": "NumericConditions",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "*",
"Condition": {
"NumericLessThan": {
"s3:object-size": "10485760" # 10MB
},
"NumericGreaterThan": {
"s3:object-size": "0"
}
}
},
{
"Sid": "DateConditions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2024-12-31T23:59:59Z"
}
}
},
{
"Sid": "BooleanAndIPConditions",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true",
"aws:SecureTransport": "true"
},
"IpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
}
}
},
{
"Sid": "ARNConditions",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::my-bucket/*"
}
}
}
]
}
print("📋 Condition operator types:")
print("\n🔤 String conditions:")
for op, details in string_conditions.items():
print(f" {op}: {details['description']}")
print("\n🔢 Numeric conditions:")
for op, details in numeric_conditions.items():
print(f" {op}: {details['description']}")
print("\n📅 Date conditions:")
for op, details in date_conditions.items():
print(f" {op}: {details['description']}")
print("\n✅ Boolean conditions:")
for op, details in boolean_conditions.items():
print(f" {op}: {details['description']}")
print("\n🌐 IP address conditions:")
for op, details in ip_conditions.items():
print(f" {op}: {details['description']}")
print("\n🏷️ ARN conditions:")
for op, details in arn_conditions.items():
print(f" {op}: {details['description']}")
print("\n📝 Comprehensive condition policy example:")
print(json.dumps(condition_policy, indent=2, ensure_ascii=False))
return condition_policy
# Demonstrate condition operators
condition_policy = demonstrate_condition_operators()4.2.2 Condition Modifiers and Set Operations
def demonstrate_condition_modifiers():
"""
Demonstrate condition modifiers and set operations in IAM
"""
# Condition modifiers
modifier_examples = {
"IfExists": {
"description": "Check the condition only if the key exists",
"use_case": "Handle optional fields",
"example": {
"StringEqualsIfExists": {
"s3:ExistingObjectTag/Environment": "Production"
}
}
},
"ForAllValues": {
"description": "All values in the request must match the condition",
"use_case": "Restrict all values of a multi-valued field",
"example": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": ["UserId", "Email", "Name"]
}
}
},
"ForAnyValue": {
"description": "At least one value in the request must match the condition",
"use_case": "Allow any value in a multi-valued field",
"example": {
"ForAnyValue:StringEquals": {
"aws:PrincipalTag/Department": ["Finance", "HR", "IT"]
}
}
}
}
# Create a policy demonstrating modifiers
modifier_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IfExistsModifier",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"s3:ExistingObjectTag/Classification": "Public"
},
"StringEquals": {
"s3:ExistingObjectTag/Environment": "Production"
}
}
},
{
"Sid": "ForAllValuesModifier",
"Effect": "Allow",
"Action": "dynamodb:GetItem",
"Resource": "arn:aws:dynamodb:*:*:table/UserProfiles",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"UserId",
"Email",
"FirstName",
"LastName"
]
}
}
},
{
"Sid": "ForAnyValueModifier",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::company-data/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:PrincipalTag/Department": [
"Engineering",
"DevOps",
"QA"
]
}
}
}
]
}
print("📋 Condition modifier descriptions:")
for modifier, details in modifier_examples.items():
print(f"\n{modifier}:")
print(f" Description: {details['description']}")
print(f" Use case: {details['use_case']}")
print(f" Example: {json.dumps(details['example'], indent=4, ensure_ascii=False)}")
print("\n📝 Modifier policy example:")
print(json.dumps(modifier_policy, indent=2, ensure_ascii=False))
# Create an example of a complex condition combination
complex_condition_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ComplexS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::sensitive-data/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true",
"aws:MultiFactorAuthPresent": "true"
},
"StringEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
},
"StringLike": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:*:*:key/*"
},
"NumericLessThan": {
"aws:MultiFactorAuthAge": "1800" # MFA within 30 minutes
},
"IpAddress": {
"aws:SourceIp": [
"203.0.113.0/24", # Office network
"198.51.100.0/24" # VPN network
]
},
"DateGreaterThan": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Environment",
"Project",
"Owner"
]
}
}
}
]
}
print("\n📝 Complex condition combination policy:")
print(json.dumps(complex_condition_policy, indent=2, ensure_ascii=False))
return modifier_policy, complex_condition_policy
# Demonstrate condition modifiers
modifier_policy, complex_policy = demonstrate_condition_modifiers()4.3 Policy Variables and Dynamic References
4.3.1 AWS Policy Variables
def demonstrate_policy_variables():
"""
Demonstrate the use of variables in IAM policies
"""
# AWS global variables
global_variables = {
"aws:CurrentTime": "Current timestamp",
"aws:EpochTime": "Unix timestamp",
"aws:PrincipalType": "Principal type (User, Role, Account, etc.)",
"aws:SecureTransport": "Whether HTTPS is used",
"aws:SourceIp": "Source IP address of the request",
"aws:UserAgent": "HTTP User-Agent header",
"aws:userid": "AWS user ID",
"aws:username": "Username",
"aws:PrincipalArn": "ARN of the principal",
"aws:RequestedRegion": "Requested AWS region",
"aws:RequestTag/key": "Tag value in the request",
"aws:PrincipalTag/key": "Tag value of the principal"
}
# Service-specific variables
service_variables = {
"s3": {
"s3:prefix": "S3 object prefix",
"s3:delimiter": "S3 delimiter",
"s3:max-keys": "Maximum number of objects to list",
"s3:ExistingObjectTag/key": "Tag value of an existing object",
"s3:x-amz-content-sha256": "SHA256 hash of the content",
"s3:x-amz-server-side-encryption": "Server-side encryption type"
},
"ec2": {
"ec2:InstanceType": "EC2 instance type",
"ec2:Region": "EC2 region",
"ec2:ResourceTag/key": "EC2 resource tag",
"ec2:Subnet": "Subnet ID"
},
"dynamodb": {
"dynamodb:Attributes": "List of DynamoDB attributes",
"dynamodb:LeadingKeys": "Value of the DynamoDB primary key",
"dynamodb:Encrypt": "Whether encryption is enabled"
}
}
# Create example policies using variables
variable_policies = {
"user_home_directory": {
"description": "User can only access their own home directory",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::user-home-directories/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::user-home-directories",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:username}/*"
}
}
}
]
}
},
"time_based_access": {
"description": "Time-based access control",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2024-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2024-12-31T23:59:59Z"
},
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
},
"tag_based_access": {
"description": "Tag-based access control",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}",
"ec2:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedTag/Owner": "${aws:username}",
"aws:RequestedTag/Department": "${aws:PrincipalTag/Department}"
}
}
}
]
}
},
"dynamodb_row_level": {
"description": "DynamoDB row-level access control",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/UserProfiles",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${aws:username}"]
}
}
}
]
}
}
}
print("📋 AWS global variables:")
for var, description in global_variables.items():
print(f" ${{{var}}}: {description}")
print("\n📋 Service-specific variables:")
for service, variables in service_variables.items():
print(f"\n {service.upper()} service:")
for var, description in variables.items():
print(f" ${{{var}}}: {description}")
print("\n📝 Policy variable usage examples:")
for policy_name, policy_info in variable_policies.items():
print(f"\n{policy_name}:")
print(f" Description: {policy_info['description']}")
print(f" Policy: {json.dumps(policy_info['policy'], indent=2, ensure_ascii=False)}")
return variable_policies
def create_dynamic_policy_generator():
"""
Create a dynamic policy generator
"""
class DynamicPolicyGenerator:
def __init__(self):
self.base_templates = {}
def register_template(self, name, template):
"""Register a policy template"""
self.base_templates[name] = template
def generate_user_specific_policy(self, username, department, resources):
"""Generate a user-specific policy"""
user_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserSpecificS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": f"arn:aws:s3:::user-data/{username}/*"
},
{
"Sid": "AllowDepartmentSharedAccess",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": f"arn:aws:s3:::shared-data/{department.lower()}/*"
}
]
}
# Add resource-specific permissions
if resources:
for resource in resources:
if resource['type'] == 'ec2':
user_policy['Statement'].append({
"Sid": f"AllowEC2Access{resource['name']}",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": resource['arn'],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": username
}
}
})
return user_policy
def generate_role_specific_policy(self, service_name, permissions_level):
"""Generate a role-specific policy"""
service_policies = {
"lambda": {
"basic": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
},
"s3_access": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::lambda-data/*"
}
]
}
}
}
return service_policies.get(service_name, {}).get(permissions_level, {})
def apply_security_constraints(self, policy, constraints):
"""Apply security constraints to a policy"""
enhanced_policy = policy.copy()
# Add common security conditions
security_conditions = {
"Bool": {
"aws:SecureTransport": "true"
}
}
if constraints.get('require_mfa'):
security_conditions["Bool"]["aws:MultiFactorAuthPresent"] = "true"
security_conditions["NumericLessThan"] = {
"aws:MultiFactorAuthAge": str(constraints.get('mfa_max_age', 3600))
}
if constraints.get('ip_restriction'):
security_conditions["IpAddress"] = {
"aws:SourceIp": constraints['ip_restriction']
}
if constraints.get('time_restriction'):
if 'start_time' in constraints['time_restriction']:
security_conditions["DateGreaterThan"] = {
"aws:CurrentTime": constraints['time_restriction']['start_time']
}
if 'end_time' in constraints['time_restriction']:
security_conditions["DateLessThan"] = {
"aws:CurrentTime": constraints['time_restriction']['end_time']
}
# Apply security conditions to all statements
for statement in enhanced_policy.get('Statement', []):
if 'Condition' not in statement:
statement['Condition'] = {}
# Merge conditions
for condition_type, condition_value in security_conditions.items():
if condition_type not in statement['Condition']:
statement['Condition'][condition_type] = {}
statement['Condition'][condition_type].update(condition_value)
return enhanced_policy
return DynamicPolicyGenerator()
# Demonstrate policy variables
variable_policies = demonstrate_policy_variables()
# Create and use the dynamic policy generator
policy_generator = create_dynamic_policy_generator()
# Generate a user-specific policy
user_policy = policy_generator.generate_user_specific_policy(
username="john.doe",
department="Engineering",
resources=[
{
"type": "ec2",
"name": "DevServer",
"arn": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0"
}
]
)
print("\n📝 Dynamically generated user policy:")
print(json.dumps(user_policy, indent=2, ensure_ascii=False))
# Apply security constraints
constraints = {
"require_mfa": True,
"mfa_max_age": 1800, # 30 minutes
"ip_restriction": ["203.0.113.0/24"],
"time_restriction": {
"start_time": "2024-01-01T00:00:00Z",
"end_time": "2024-12-31T23:59:59Z"
}
}
secured_policy = policy_generator.apply_security_constraints(user_policy, constraints)
print("\n📝 Policy after applying security constraints:")
print(json.dumps(secured_policy, indent=2, ensure_ascii=False))4.4 Policy Evaluation Logic
4.4.1 Policy Evaluation Order
def demonstrate_policy_evaluation_logic():
"""
Demonstrate IAM policy evaluation logic and priority
"""
# Policy evaluation order
evaluation_order = {
1: {
"step": "Explicit Deny Check",
"description": "Check all policies for an explicit Deny statement",
"result": "If a matching Deny is found, the request is immediately denied"
},
2: {
"step": "Organization SCP Check",
"description": "Check the AWS Organizations service control policies",
"result": "If the SCP does not allow, the request is denied"
},
3: {
"step": "Resource Policy Check",
"description": "Check resource-based policies on the resource",
"result": "If the resource policy allows, the request may be allowed"
},
4: {
"step": "Permissions Boundary Check",
"description": "Check the permissions boundary of the IAM entity",
"result": "The permissions boundary limits the maximum permissions"
},
5: {
"step": "Identity Policy Check",
"description": "Check the identity policies of the user, group, and role",
"result": "If the identity policy allows, the request may be allowed"
},
6: {
"step": "Session Policy Check",
"description": "Check the session policy provided during AssumeRole",
"result": "The session policy further restricts permissions"
},
7: {
"step": "Default Deny",
"description": "If there is no explicit allow, deny by default",
"result": "The request is denied"
}
}
print("📋 IAM policy evaluation order:")
for step_num, step_info in evaluation_order.items():
print(f"\n{step_num}. {step_info['step']}")
print(f" Description: {step_info['description']}")
print(f" Result: {step_info['result']}")
# Create policy evaluation examples
evaluation_examples = {
"explicit_deny_wins": {
"scenario": "Explicit deny has the highest priority",
"policies": {
"identity_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
},
"resource_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::critical-data/*"
}
]
}
},
"result": "The DeleteObject action is denied because the explicit deny has the highest priority"
},
"permissions_boundary_limitation": {
"scenario": "Permissions boundary limitation",
"policies": {
"identity_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"permissions_boundary": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
},
"result": "Only S3 actions are allowed, other service actions are blocked by the permissions boundary"
},
"session_policy_restriction": {
"scenario": "Further restriction by session policy",
"policies": {
"role_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
},
"session_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::specific-bucket/*"
}
]
}
},
"result": "Only reading objects from a specific bucket is allowed, other S3 actions are restricted by the session policy"
}
}
print("\n📝 Policy evaluation examples:")
for example_name, example_info in evaluation_examples.items():
print(f"\n{example_name}:")
print(f" Scenario: {example_info['scenario']}")
print(f" Result: {example_info['result']}")
for policy_type, policy_content in example_info['policies'].items():
print(f"\n {policy_type}:")
print(f" {json.dumps(policy_content, indent=2, ensure_ascii=False)}")
return evaluation_order, evaluation_examples
def create_policy_evaluation_simulator():
"""
Create a policy evaluation simulator
"""
class PolicyEvaluationSimulator:
def __init__(self):
self.policies = {
'identity_policies': [],
'resource_policies': [],
'permissions_boundaries': [],
'session_policies': [],
'scp_policies': []
}
def add_policy(self, policy_type, policy_document):
"""Add a policy to the simulator"""
if policy_type in self.policies:
self.policies[policy_type].append(policy_document)
def evaluate_request(self, action, resource, principal=None, conditions=None):
"""Simulate the policy evaluation process"""
evaluation_result = {
'action': action,
'resource': resource,
'principal': principal,
'conditions': conditions or {},
'decision': 'Deny', # Default deny
'evaluation_steps': []
}
# Step 1: Check for explicit deny
explicit_deny = self._check_explicit_deny(action, resource, conditions)
evaluation_result['evaluation_steps'].append({
'step': 1,
'name': 'Explicit Deny Check',
'result': 'Deny' if explicit_deny else 'No explicit deny found',
'decision': 'Deny' if explicit_deny else 'Continue'
})
if explicit_deny:
evaluation_result['decision'] = 'Deny'
evaluation_result['reason'] = 'Explicit deny found'
return evaluation_result
# Step 2: Check Organization SCPs (simulated)
scp_allow = self._check_scp_policies(action, resource)
evaluation_result['evaluation_steps'].append({
'step': 2,
'name': 'Organization SCP Check',
'result': 'Allow' if scp_allow else 'Deny',
'decision': 'Continue' if scp_allow else 'Deny'
})
if not scp_allow:
evaluation_result['decision'] = 'Deny'
evaluation_result['reason'] = 'Organization SCP denies'
return evaluation_result
# Step 3: Check resource policies
resource_policy_allow = self._check_resource_policies(action, resource, principal)
evaluation_result['evaluation_steps'].append({
'step': 3,
'name': 'Resource Policy Check',
'result': 'Allow' if resource_policy_allow else 'No explicit allow',
'decision': 'Continue'
})
# Step 4: Check permissions boundaries
permissions_boundary_allow = self._check_permissions_boundaries(action, resource)
evaluation_result['evaluation_steps'].append({
'step': 4,
'name': 'Permissions Boundary Check',
'result': 'Allow' if permissions_boundary_allow else 'Deny',
'decision': 'Continue' if permissions_boundary_allow else 'Deny'
})
if not permissions_boundary_allow:
evaluation_result['decision'] = 'Deny'
evaluation_result['reason'] = 'Permissions boundary denies'
return evaluation_result
# Step 5: Check identity policies
identity_policy_allow = self._check_identity_policies(action, resource, conditions)
evaluation_result['evaluation_steps'].append({
'step': 5,
'name': 'Identity Policy Check',
'result': 'Allow' if identity_policy_allow else 'No explicit allow',
'decision': 'Continue' if identity_policy_allow else 'Deny'
})
# Step 6: Check session policies
session_policy_allow = self._check_session_policies(action, resource)
evaluation_result['evaluation_steps'].append({
'step': 6,
'name': 'Session Policy Check',
'result': 'Allow' if session_policy_allow else 'No restriction',
'decision': 'Continue'
})
# Final decision
if (resource_policy_allow or identity_policy_allow) and session_policy_allow:
evaluation_result['decision'] = 'Allow'
evaluation_result['reason'] = 'Request allowed by policies'
else:
evaluation_result['decision'] = 'Deny'
evaluation_result['reason'] = 'No explicit allow found (implicit deny)'
return evaluation_result
def _check_explicit_deny(self, action, resource, conditions):
"""Check for an explicit deny"""
all_policies = (
self.policies['identity_policies'] +
self.policies['resource_policies'] +
self.policies['session_policies']
)
for policy in all_policies:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Deny' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', []))):
return True
return False
def _check_scp_policies(self, action, resource):
"""Check Organization SCP policies"""
if not self.policies['scp_policies']:
return True # No SCP policies, allow
for policy in self.policies['scp_policies']:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Allow' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', []))):
return True
return False
def _check_resource_policies(self, action, resource, principal):
"""Check resource policies"""
for policy in self.policies['resource_policies']:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Allow' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', [])) and
self._principal_matches(principal, statement.get('Principal', {}))):
return True
return False
def _check_permissions_boundaries(self, action, resource):
"""Check permissions boundaries"""
if not self.policies['permissions_boundaries']:
return True # No permissions boundary, no restriction
for policy in self.policies['permissions_boundaries']:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Allow' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', []))):
return True
return False
def _check_identity_policies(self, action, resource, conditions):
"""Check identity policies"""
for policy in self.policies['identity_policies']:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Allow' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', []))):
return True
return False
def _check_session_policies(self, action, resource):
"""Check session policies"""
if not self.policies['session_policies']:
return True # No session policy, no restriction
for policy in self.policies['session_policies']:
for statement in policy.get('Statement', []):
if (statement.get('Effect') == 'Allow' and
self._action_matches(action, statement.get('Action', [])) and
self._resource_matches(resource, statement.get('Resource', []))):
return True
return False
def _action_matches(self, requested_action, policy_actions):
"""Check if an action matches"""
if isinstance(policy_actions, str):
policy_actions = [policy_actions]
for policy_action in policy_actions:
if policy_action == '*' or policy_action == requested_action:
return True
if policy_action.endswith('*'):
prefix = policy_action[:-1]
if requested_action.startswith(prefix):
return True
return False
def _resource_matches(self, requested_resource, policy_resources):
"""Check if a resource matches"""
if isinstance(policy_resources, str):
policy_resources = [policy_resources]
for policy_resource in policy_resources:
if policy_resource == '*' or policy_resource == requested_resource:
return True
if policy_resource.endswith('*'):
prefix = policy_resource[:-1]
if requested_resource.startswith(prefix):
return True
return False
def _principal_matches(self, requested_principal, policy_principal):
"""Check if a principal matches"""
if not policy_principal:
return True
if policy_principal == '*':
return True
# Simplified principal matching logic
return True
return PolicyEvaluationSimulator()
# Demonstrate policy evaluation logic
evaluation_order, evaluation_examples = demonstrate_policy_evaluation_logic()
# Create and use the policy evaluation simulator
simulator = create_policy_evaluation_simulator()
# Add example policies
identity_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
deny_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "*"
}
]
}
simulator.add_policy('identity_policies', identity_policy)
simulator.add_policy('identity_policies', deny_policy)
# Simulate policy evaluation
result1 = simulator.evaluate_request(
action='s3:GetObject',
resource='arn:aws:s3:::my-bucket/file.txt',
principal='arn:aws:iam::123456789012:user/testuser'
)
result2 = simulator.evaluate_request(
action='s3:DeleteObject',
resource='arn:aws:s3:::my-bucket/file.txt',
principal='arn:aws:iam::123456789012:user/testuser'
)
print("\n📝 Policy evaluation simulation results:")
print("\nAllowed GetObject request:")
print(json.dumps(result1, indent=2, ensure_ascii=False, default=str))
print("\nDenied DeleteObject request:")
print(json.dumps(result2, indent=2, ensure_ascii=False, default=str))4.5 Policy Types and Use Cases
4.5.1 Different Types of Policies
def demonstrate_policy_types():
"""
Demonstrate different types of IAM policies and their use cases
"""
policy_types = {
"identity_based_policies": {
"description": "Policies attached to an IAM identity (user, group, or role)",
"types": {
"managed_policies": {
"aws_managed": "Predefined policies provided by AWS",
"customer_managed": "Policies created and managed by the customer"
},
"inline_policies": "Policies embedded directly into a single identity"
},
"use_cases": [
"Define permissions for a user, group, or role",
"Share the same permissions across multiple identities",
"Provide a baseline set of permissions"
]
},
"resource_based_policies": {
"description": "Policies attached to an AWS resource",
"examples": ["S3 bucket policies", "SQS queue policies", "KMS key policies", "Lambda resource policies"],
"use_cases": [
"Define who can access a specific resource",
"Cross-account resource sharing",
"Resource-level access control"
]
},
"permissions_boundaries": {
"description": "Define the maximum permissions for an IAM entity",
"use_cases": [
"Limit the maximum permissions of developers",
"Implement permission delegation",
"Enterprise governance and compliance"
]
},
"organization_scps": {
"description": "Service control policies for AWS Organizations",
"use_cases": [
"Restrict service usage at the organization level",
"Prevent accidental high-cost operations",
"Enforce compliance requirements"
]
},
"session_policies": {
"description": "Temporary policies provided during AssumeRole",
"use_cases": [
"Further restrict role permissions",
"Provide temporary fine-grained control",
"Dynamic permission adjustments"
]
}
}
# Create examples of different policy types
policy_examples = {
"identity_based_managed": {
"name": "S3ReadOnlyAccess-Custom",
"description": "Custom S3 read-only access policy",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketVersioning"
],
"Resource": [
"arn:aws:s3:::company-data-*",
"arn:aws:s3:::company-data-*/*"
]
}
]
}
},
"resource_based_s3": {
"name": "S3BucketCrossAccountPolicy",
"description": "Allow cross-account access to an S3 bucket",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:user/trusted-user"
]
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::shared-bucket",
"arn:aws:s3:::shared-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
},
"permissions_boundary": {
"name": "DeveloperPermissionsBoundary",
"description": "Permissions boundary for developers",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"lambda:*",
"ec2:Describe*",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:*",
"organizations:*",
"account:*",
"billing:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:ResourceTag/Environment": ["Dev", "Test"]
}
}
}
]
}
},
"organization_scp": {
"name": "PreventHighCostServices",
"description": "SCP to prevent the use of high-cost services",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"sagemaker:*",
"redshift:*",
"emr:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotEquals": {
"ec2:InstanceType": [
"t2.micro",
"t2.small",
"t3.micro",
"t3.small"
]
}
}
}
]
}
},
"session_policy": {
"name": "TemporaryReadOnlyAccess",
"description": "Temporary read-only access session policy",
"policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"ec2:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"cloudwatch:Describe*"
],
"Resource": "*"
}
]
}
}
}
print("📋 IAM policy type descriptions:")
for policy_type, info in policy_types.items():
print(f"\n{policy_type.replace('_', ' ').title()}:")
print(f" Description: {info['description']}")
if 'types' in info:
print(" Subtypes:")
for subtype, subdesc in info['types'].items():
if isinstance(subdesc, dict):
print(f" {subtype}:")
for k, v in subdesc.items():
print(f" - {k}: {v}")
else:
print(f" - {subtype}: {subdesc}")
if 'examples' in info:
print(f" Examples: {', '.join(info['examples'])}")
print(" Use cases:")
for use_case in info['use_cases']:
print(f" - {use_case}")
print("\n📝 Policy examples:")
for example_name, example_info in policy_examples.items():
print(f"\n{example_name}:")
print(f" Name: {example_info['name']}")
print(f" Description: {example_info['description']}")
print(f" Policy content:")
print(json.dumps(example_info['policy'], indent=4, ensure_ascii=False))
return policy_types, policy_examples
def create_policy_management_system():
"""
Create a policy management system
"""
class PolicyManagementSystem:
def __init__(self):
self.iam = boto3.client('iam')
self.policy_templates = {}
self.policy_versions = {}
def create_managed_policy(self, policy_name, policy_document, description=""):
"""Create a managed policy"""
try:
response = self.iam.create_policy(
PolicyName=policy_name,
PolicyDocument=json.dumps(policy_document),
Description=description,
Tags=[
{
'Key': 'ManagedBy',
'Value': 'PolicyManagementSystem'
},
{
'Key': 'CreatedDate',
'Value': datetime.now().strftime('%Y-%m-%d')
}
]
)
policy_arn = response['Policy']['Arn']
print(f"✅ Managed policy created successfully: {policy_arn}")
return policy_arn
except Exception as e:
print(f"❌ Failed to create managed policy: {str(e)}")
return None
def create_policy_version(self, policy_arn, new_policy_document):
"""Create a new policy version"""
try:
# Get current version information
policy = self.iam.get_policy(PolicyArn=policy_arn)
current_versions = self.iam.list_policy_versions(PolicyArn=policy_arn)
# Check the version limit (max 5 versions)
if len(current_versions['Versions']) >= 5:
# Delete the oldest non-default version
oldest_version = None
for version in current_versions['Versions']:
if not version['IsDefaultVersion']:
if oldest_version is None or version['CreateDate'] < oldest_version['CreateDate']:
oldest_version = version
if oldest_version:
self.iam.delete_policy_version(
PolicyArn=policy_arn,
VersionId=oldest_version['VersionId']
)
print(f"🗑️ Deleted old version: {oldest_version['VersionId']}")
# Create a new version
response = self.iam.create_policy_version(
PolicyArn=policy_arn,
PolicyDocument=json.dumps(new_policy_document),
SetAsDefault=True
)
version_id = response['PolicyVersion']['VersionId']
print(f"✅ New policy version created successfully: {version_id}")
return version_id
except Exception as e:
print(f"❌ Failed to create policy version: {str(e)}")
return None
def attach_policy_to_entity(self, policy_arn, entity_type, entity_name):
"""Attach a policy to an IAM entity"""
try:
if entity_type == 'user':
self.iam.attach_user_policy(
UserName=entity_name,
PolicyArn=policy_arn
)
elif entity_type == 'role':
self.iam.attach_role_policy(
RoleName=entity_name,
PolicyArn=policy_arn
)
elif entity_type == 'group':
self.iam.attach_group_policy(
GroupName=entity_name,
PolicyArn=policy_arn
)
else:
raise ValueError(f"Unsupported entity type: {entity_type}")
print(f"✅ Policy attached to {entity_type}: {entity_name}")
return True
except Exception as e:
print(f"❌ Failed to attach policy: {str(e)}")
return False
def set_permissions_boundary(self, entity_type, entity_name, boundary_policy_arn):
"""Set a permissions boundary"""
try:
if entity_type == 'user':
self.iam.put_user_permissions_boundary(
UserName=entity_name,
PermissionsBoundary=boundary_policy_arn
)
elif entity_type == 'role':
self.iam.put_role_permissions_boundary(
RoleName=entity_name,
PermissionsBoundary=boundary_policy_arn
)
else:
raise ValueError(f"Permissions boundary not supported for entity type: {entity_type}")
print(f"✅ Permissions boundary set for {entity_type}: {entity_name}")
return True
except Exception as e:
print(f"❌ Failed to set permissions boundary: {str(e)}")
return False
def validate_policy_permissions(self, policy_arn, test_cases):
"""Validate policy permissions"""
try:
validation_results = []
for test_case in test_cases:
response = self.iam.simulate_principal_policy(
PolicySourceArn=policy_arn,
ActionNames=[test_case['action']],
ResourceArns=[test_case['resource']],
ContextEntries=test_case.get('context', [])
)
for result in response['EvaluationResults']:
validation_results.append({
'action': result['EvalActionName'],
'resource': result['EvalResourceName'],
'decision': result['EvalDecision'],
'expected': test_case.get('expected', 'Allow'),
'passed': result['EvalDecision'] == test_case.get('expected', 'Allow')
})
print("📊 Policy validation results:")
for result in validation_results:
status = "✅" if result['passed'] else "❌"
print(f" {status} {result['action']} on {result['resource']}: "
f"{result['decision']} (expected: {result['expected']})")
return validation_results
except Exception as e:
print(f"❌ Policy validation failed: {str(e)}")
return []
def generate_policy_report(self, policy_arn):
"""Generate a policy report"""
try:
# Get policy details
policy = self.iam.get_policy(PolicyArn=policy_arn)
policy_version = self.iam.get_policy_version(
PolicyArn=policy_arn,
VersionId=policy['Policy']['DefaultVersionId']
)
# Get policy usage
entities = self.iam.list_entities_for_policy(PolicyArn=policy_arn)
report = {
'policy_name': policy['Policy']['PolicyName'],
'policy_arn': policy_arn,
'created_date': policy['Policy']['CreateDate'],
'updated_date': policy['Policy']['UpdateDate'],
'description': policy['Policy']['Description'],
'default_version': policy['Policy']['DefaultVersionId'],
'attached_to': {
'users': [user['UserName'] for user in entities['PolicyUsers']],
'groups': [group['GroupName'] for group in entities['PolicyGroups']],
'roles': [role['RoleName'] for role in entities['PolicyRoles']]
},
'policy_document': policy_version['PolicyVersion']['Document']
}
print("📋 Policy report:")
print(f" Policy name: {report['policy_name']}")
print(f" Creation date: {report['created_date']}")
print(f" Update date: {report['updated_date']}")
print(f" Description: {report['description']}")
print(f" Current version: {report['default_version']}")
print(f" Attached to users: {len(report['attached_to']['users'])}")
print(f" Attached to groups: {len(report['attached_to']['groups'])}")
print(f" Attached to roles: {len(report['attached_to']['roles'])}")
return report
except Exception as e:
print(f"❌ Failed to generate policy report: {str(e)}")
return None
return PolicyManagementSystem()
# Demonstrate policy types
policy_types, policy_examples = demonstrate_policy_types()
# Create a policy management system
policy_mgmt = create_policy_management_system()
# Example: Create and manage a policy
example_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-app-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
# Note: Actual execution requires valid AWS credentials
print("\n📝 Policy management system example:")
print("Functions for creating managed policies, versioning, attaching policies, etc. are ready")Summary
This chapter provided an in-depth look at the core content of AWS IAM policies:
- Basic Syntax: Master the structure of JSON policy documents and the use of various elements
- Condition System: Understand the use of condition operators, modifiers, and complex condition combinations
- Policy Variables: Learn dynamic referencing and variable substitution to implement flexible permission control
- Evaluation Logic: Understand the priority and decision-making process of policy evaluation
- Policy Types: Master the features and use cases of different policy types
By completing this chapter, you should be able to:
- Write IAM policies that follow best practices
- Use conditions and variables to implement fine-grained permission control
- Understand the policy evaluation mechanism to debug permission issues
- Manage different types of policies to meet various business needs
- Implement policy versioning and permission auditing
In the next chapter, we will learn about advanced applications of permissions boundaries and service control policies.