Open in app

Sign in

Write

Sign in

Love Reddy Isireddy
2 min readSep 10, 2024

Union of IAM Policies and Resource-based Policies — Policy Evaluation Logic ❓

Union of IAM Policies and Resource-based Policies forming the Total Policy is essential for understanding how AWS determines whether a user or role can access a specific resource.

Breakdown:

IAM Access Policies:

  • These are policies attached to IAM users, groups, or roles.
  • They define what actions those identities (users, roles) are allowed (or denied) to perform on AWS resources.
  • For example, an IAM policy might allow a user to read from an S3 bucket or invoke a Lambda function.

Resource-based Policies:

  • These are policies attached directly to AWS resources like S3 buckets, Lambda functions, or SQS queues.
  • Resource-based policies specify which principals (users, roles, accounts) are allowed to access the resource.
  • For example, an S3 bucket policy could grant access to users in another AWS account or allow a specific IAM role to perform actions like “s3”.

Total Policy:

When a request is made to access a resource, AWS evaluates both the IAM policy and the resource-based policy to determine whether the action should be allowed.

  • Union of Policies: This means AWS combines the permissions defined in both the IAM policy and the resource-based policy. The request must be allowed by both policies for the access to be granted.
  • If either policy denies the request, it will be denied.
  • If both policies allow the action, then it will be allowed.

Example:

Let’s say a user wants to access an S3 bucket:

  • The IAM policy attached to the user grants permission for s3:GetObject (read access to objects in S3).
  • The S3 bucket’s resource-based policy allows access for the user’s role to read from the bucket.

In this case, both the IAM policy and the resource-based policy allow the action, so the access is granted.

However, if:

  • The IAM policy denies s3:GetObject, but the resource-based policy allows it, or
  • The resource-based policy denies access, but the IAM policy allows it,

then the request will be denied, because in AWS, denies always override allows.

Total Policy Evaluation Logic:

  • Allow + Allow = Allow
    (Both policies must allow for access to be granted.)
  • Allow + Deny = Deny
    (If either policy denies, the access is denied.)

Conclusion:

The Total Policy is the combination of permissions from both the IAM policies and resource-based policies. AWS evaluates both types of policies together, and the final access decision is based on the union of these policies.

Love

Aws Iam
Love Reddy Isireddy

Written by Love Reddy Isireddy

8 Followers

Cloud & DevOps Core Engineering

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams