Read on:
AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
AWS for Beginners: How to Protect AWS Security Tools: Part 4
AWS for Beginners: What is IAM (Identity and Access Management) and Best Practices: Part 5
AWS for Beginners: Provisioning IAM Users and Programmatic Access in AWS: Part 6
AWS for Beginners: Securing Root account using MFA: Part 7
AWS for Beginners: Amazon S3 Overview, Security and Best Practices : Part 8
AWS for Beginners: Creating and managing IAM groups: Part 9
AWS for Beginners: AWS Managed Policies and Inline Policies: Part 10
In the AWS cloud, policies help to manage access to the resources. By using policies we can define what access an identity can have for a resource, under specific conditions. In this way, any unauthorized access is restricted and the cloud account is kept safe. There are two types of AWS policies – AWS Managed policy and Customer Managed policy. In case of an AWS-managed policy, the customer will not be able to change any configuration of the policy. Because these policies are managed by AWS and any updates will be automatically taken care of by AWS. Whenever AWS-managed policies do not satisfy the client-specific requirements, then the customer themselves can create a policy document and apply it. In this article, we will look at how to assign AWS-managed policies to identities.
How to find AWS-managed policies?
In this section, we will look at how to search for AWS-managed policies from the AWS console.
1. Login to the AWS console using the URL https://aws.amazon.com/console
2. Search for the IAM service in the search bar and click on IAM from the results.
3. Click on policies on the next page
4. In the next screen, to find all the AWS-managed policies, filter for the policies with Type: AWS managed
How to find Customer managed policies?
1. In the next screen, to find all the Customer managed policies, filter for the policies with Type: Customer managed
Attach an AWS-managed or Customer managed policy to a group
In this example, we will use the example user group named appgroup. This group does not have any policy permissions attached to it for now. We will look at how to attach a policy to the group.
1. Click on the user groups option in the IAM service. This will list all the groups created in IAM and their current permissions.
2. For this example, click on the group appgroup. We can see that the current permissions are showing as Not Defined, which means the group is not attached to any policies yet.
3. If we look at the above output, this group has two users already in it. Now click on the permissions option on the screen.
4. Now click on the Add Permissions button and click on Attach Policies.
5. In the next screen, search for any policy, AWS managed or Customer managed. In this example, we will attach the AWS-managed policy AWSEC2FullAccess and attach it to the group by clicking on the button Add Permissions. This will give the same policy permissions to the users that belong to this group.
Attach an AWS-managed or Customer managed policy to a User
In this example, we will use the example user named appadmin. This user has the policy AmazonEC2FullAccess which is inherited from the group to which the user belongs. We will look at how to attach a policy to the user. In this example, we will attach the policy AmazonS3FullAccess to the user.
1. Click on the user option in the IAM service and select the user of your choice. For this example, we will select the user appadmin.
2. In the next screen, click on Add Permissions
3. In the next screen, click on the option Attach existing policies directly
4. Search for any policy from the list and select the policy. Then click on Review. Here we search for and select the policy AmazonS3FullAccess.
5. In the next screen, review the entries and click on Add Permissions. Now the user will be added with the permissions available through the policy.
Now we can see that there are two policies attached to the user. One policy is attached directly and another policy is attached through the group.
Conclusion:
In this article, we have gone through the various ways of attaching a policy to a user or group. A policy can be attached directly to a user and a group. When a policy is attached to a group, then all the users within that group will inherit those policy permissions. When a policy is attached at the user level, then the management of the user becomes complicated. Managing the policy permissions through groups simplifies the task. Multiple users can be provided policy permissions through groups. Always follow due diligence and follow the principles of least access while providing the permissions.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.