AWS IAM policies define permissions through the following elements:
Specify the version of the policy language that you want to use. We recommend that you use the latest 2012-10-17 version. For more information, see IAM JSON policy elements: Version
Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Include an optional statement ID to differentiate between your statements.
Use Allow or Deny to indicate whether the policy allows or denies access.
If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Include a list of actions that the policy allows or denies.
If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.
Specify the circumstances under which the policy grants permission.
AWS IAM policies support pattern matching through glob-style wildcards and regex-like syntax:
*
- Matches any combination of characters?
- Matches exactly one character${...}
- Variable substitution (e.g., ${aws:username}
)arn:aws:s3:::my-bucket/*
matches all objects in the bucketservice:*
- All actions in a service (e.g., s3:*
)service:action*
- Actions with prefix (e.g., iam:Get*
)service:*action
- Actions with suffixiam:*Role*
matches CreateRole, DeleteRole, etc.policy_id
(Optional) - An ID for the policy documentsource_policy_documents
(Optional) - List of IAM policy documents that are merged togetheroverride_policy_documents
(Optional) - List of IAM policy documents that override othersversion
(Optional) - IAM policy version (2008-10-17 or 2012-10-17)The following arguments are optional:
actions
- List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"]effect
- Whether this statement allows or denies the given actions. Valid values are Allow and Denynot_actions
- List of actions that this statement does not apply toresources
- List of resource ARNs. Required for IAM policies. Conflicts with not_resourcesnot_resources
- List of resource ARNs that this statement does not apply to. Conflicts with resourcesprincipals
- Configuration block for principals. Detailed belownot_principals
- Principals that the statement does not apply tosid
- Statement ID to identify the policy statementRequired configuration for principal blocks:
type
(Required) - Type of principal (AWS, Service, Federated, etc.)identifiers
(Required) - List of principal identifiersMultiple conditions use "AND" operation - all must be true. The following arguments are required:
test
- Name of the IAM condition operator to evaluatevariable
- Context Variable name (aws: prefix for AWS variables, service-specific prefix for others)values
- Values to evaluate against. Multiple values use "OR" operationConverting policy...