DEV Community

Cover image for Techniques For Writing Least Privilege IAM Policies
πŸš€ Vu Dao πŸš€
πŸš€ Vu Dao πŸš€

Posted on • Updated on

Techniques For Writing Least Privilege IAM Policies

  • Least privilege is a principle of granting only the permissions required to complete a task.

  • For example, if you have an Amazon Elastic Compute Cloud (Amazon EC2) instance that needs to access an Amazon Simple Storage Service (Amazon S3) bucket to get configuration data, you should only allow read access to the specific S3 bucket that contains the relevant data.

  • The main elements of a policy statement are:

Effect: Specifies whether the statement will Allow or Deny an action.

Action: Describes a specific action or actions that will either be allowed or denied to run based on the Effect entered. API actions are unique to each service. For example, s3:CreateBucket is an Amazon S3 service API action and IAM action that enables an IAM Principal to create an S3 bucket.

NotAction: Can be used as an alternative to using Action. This element will allow an IAM principal to invoke all API actions to a specific AWS service except those actions specified in this list.

Resource: Specifies the resourcesβ€”for example, an S3 bucket or objectsβ€”that the policy applies to in Amazon Resource Name (ARN) format.

NotResource: Can be used instead of the Resource element to explicitly match every AWS resource except those specified.

Condition: Allows you to build expressions to match the condition keys and values in the policy against keys and values in the request context sent by the IAM principal. Condition keys can be service-specific or global. A global condition key can be used with any service. For example, a key of aws:CurrentTime can be used to allow access based on date and time.

Alt Text

Here is an example of how to set policy for users with AWS access console can rotate their Access keys but not others using Condition combine with tag

  • Add tag to IAM user
    Alt Text

  • Create policy

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/groupname": "developteam"
Enter fullscreen mode Exit fullscreen mode


Top comments (0)