A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. When you create a permissions policy to restrict access to a resource, you can choose an identity-based policy or a resource-based policy. Show Identity-based policies are attached to an IAM user, group, or role. These policies let you specify what that identity can do (its permissions). For example, you can attach the policy to the IAM user named John, stating that he is allowed to perform the Amazon EC2 Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key Management Service encryption keys. For a list of services that support resource-based policies, see AWS services that work with IAM. With resource-based policies, you can specify who has access to the resource and what actions they can perform on it. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see What is IAM Access Analyzer?. Resource-based policies are inline only, not managed. Resource-based policies differ from resource-level permissions. You can attach resource-based policies directly to a resource, as described in this topic. Resource-level permissions refer to the ability to use to specify individual resources in a policy. Resource-based policies are supported only by some AWS services. For a list of which services support resource-based policies and resource-level permissions, see AWS services that work with IAM. To learn how identity-based policies and resource-based policies interact within the same account, see . To learn how the policies interact across accounts, see Cross-account policy evaluation logic. To better understand these concepts, view the following figure. The administrator of the The
Identity-based policies and resource-based policies are both permissions policies and are evaluated together. For a request to which only permissions policies apply, AWS first checks all policies for a This logic applies only when the request is made within a single AWS account. For requests made from one account to another, the requester in A user who has specific permissions might request a resource that also has a permissions policy attached to it. In that case, AWS evaluates both sets of permissions when determining whether to grant access to the resource. For information about how policies are evaluated, see Policy evaluation logic. Amazon S3 supports identity-based policies and resource-based policies (referred to as bucket policies). In addition, Amazon S3 supports a permission mechanism known as an access control list (ACL) that is independent of IAM policies and permissions. You can use IAM policies in combination with Amazon S3 ACLs. For more information, see Access Control in the Amazon Simple Storage Service User Guide. What are the two types of IAM managed policies?Identity-based policies
There are two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. Customer managed policies – Managed policies that you create and manage in your AWS account.
What are the different types of IAM policies?In this blog post, you learned about four different policy types: identity-based policies, resource-based policies, service control policies (SCPs), and permissions boundary policies.
What are two types of access for IAM user?Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task. Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account.
What are the two types of access that is granted to users when an IAM policy is created?When creating an IAM policy, a user can be granted AWS management console access and programmatic access.
|