0PricingLogin
AWS Solutions Architect · Lesson

IAM Roles and Policies

Write JSON policy documents, attach them to roles, and understand the difference between identity-based and resource-based policies.

IAM Policies: The Permission Language

An IAM policy is a JSON document that says what's allowed. Each statement has an Effect (Allow or Deny), an Action, and a Resource. The code shows one.

{
  'Version': '2012-10-17',
  'Statement': [
    {
      'Effect': 'Allow',
      'Action': [
        's3:GetObject',
        's3:PutObject'
      ],
      'Resource': 'arn:aws:s3:::my-bucket/*'
    }
  ]
}

Identity-Based vs Resource-Based Policies

An identity-based policy attaches to a user or role and says what they can do. A resource-based policy attaches to the thing itself and says who can touch it.

# Example S3 bucket policy (resource-based)
{
  'Version': '2012-10-17',
  'Statement': [{
    'Effect': 'Allow',
    'Principal': {
      'AWS': 'arn:aws:iam::123456789012:role/MyAppRole'
    },
    'Action': 's3:GetObject',
    'Resource': 'arn:aws:s3:::my-bucket/*'
  }]
}

All lessons in this course

  1. IAM Users and Groups
  2. IAM Roles and Policies
  3. Least-Privilege Principle
  4. IAM Best Practices and MFA
← Back to AWS Solutions Architect