Beta

AWS - IAM

Introduction to AWS Identity and Access Management

IAM Resource Based Policy

In this lesson, we explore how IAM resource-based policies work in AWS, focusing on S3 bucket policies. Resource-based policies are attached directly to resources—such as S3 buckets—to specify which AWS principals can perform actions on them.

Key Components of a Resource-Based Policy

ElementDescription
VersionDefines the policy language version (e.g., 2012-10-17).
StatementContains one or more permission statements.
PrincipalSpecifies the AWS entity (user, role, account, or group) to which the policy applies.
EffectIndicates whether to Allow or Deny specified actions.
ActionLists AWS operations (for example, s3:DeleteObject).
ResourceDefines the ARN(s) of the target resource(s).

Example: Explicit Deny in an S3 Bucket Policy

The following policy blocks the accounting group from deleting objects or the bucket itself in the accounting1 S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:group/accounting"
      },
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::accounting1",
        "arn:aws:s3:::accounting1/*"
      ]
    }
  ]
}

Warning

Explicit denies always override any allows. Ensure you review all policies for unintended deny statements.

IAM Policy Evaluation Logic

When multiple statements or policies apply to a request, AWS evaluates them in this order:

OrderEvaluation StepOutcome
1Explicit Deny presentRequest is denied immediately.
2Explicit Allow (no Deny)Request is granted.
3Neither Deny nor AllowRequest is implicitly denied.

The image is a flowchart explaining how IAM policies are evaluated, showing decision paths based on explicit deny, allow, and implicit deny outcomes.

Note

Implicit denies occur when no policy explicitly allows an action. You must explicitly allow all required operations.

Creating and Attaching Your S3 Bucket Policy

Follow these steps to apply a resource-based policy to an S3 bucket:

  1. Sign in to the AWS Management Console.
  2. Open the IAM service and choose Policies.
  3. Click Create policy, then select JSON.
  4. Paste your policy document and review.
  5. Attach the policy to the target S3 bucket under the Permissions tab.

Note

Make sure you have the necessary IAM permissions to create and attach policies. Failure to do so will result in authorization errors.

References

Watch Video

Watch video content

Previous
Demo Identity Policy
Next
Demo Resource Based Policy