IAM policy management
Over time, you are likely to accumulate and use a long list of policies, especially as you dive into the realms of creating your own custom identity-based policies that enable you to be very precise and specific in your permission set for a user, group, or role. As a result, it’s important to understand some of the features available to you from within IAM to help you manage these roles.
When you access a policy within the AWS management console—for example, a custom policy that you have created—you will be presented with a page that looks as follows:
It will provide you with the policy ARN and the description of the policy that you added when you created the policy. Underneath this, you have the following tabs:
- Permissions
- Policy usage
- Policy versions
- Access advisor
Each of these tabs will help you to gain a better understanding of how the policy is configured. I now want to dive into each of these tabs to help you understand what each of them provides.
Permissions
The Permissions tab allows you to view a policy summary, which gives you a high-level breakdown of the permissions, which are broken down into the Service, Access level (such as read/write), Resource, and Request condition sections. From this tab, you can also view the policy in JSON format by clicking on the {}JSON tab. Finally, you can edit the policy by selecting Edit Policy:
This is a great way to gain a quick view of the permissions associated with the policy.
Policy usage
From this tab, you can attach the policy to identities, such as users, groups, and roles. In the following screenshot, you can see that this policy is attached to three users. You can also remove policies from any of these identities by selecting the user and selecting Detach:
This provides a very quick method of adding and removing users to and from your policies.
Policy versions
Each time a change is made to a policy, the AWS version controls that change and date-stamps it, allowing you to revert to a previous version of the policy. Using the Set as default and Delete options, you can easily switch between the versions of your policy and remove any unwanted and old policies to ensure they do not get used again as an additional security measure:
This version control is very useful when testing out new policy controls as it allows you to quickly roll back should an issue occur with your new policy.
Access Advisor
The Access Advisor tab allows you to determine when your identities associated with the permissions accessed the different services relating to the policy. In the following screenshot, we can see that user Stuart has not accessed S3 using these permissions for 917 days. With that in mind, it would be a good idea to remove this level of permission for the user as we can safely assume that he is not using it. Leaving these excessive permissions causes a security risk, should his credentials be compromised:
This tab can help you easily identify any policies that are granting more permission than is actually being used, which can lead to a security risk. Removing unnecessary permissions is essential in helping to ensure you have a robust security posture.
With this, we have come to the end of our section on managing policies. Remember that since you are likely to accumulate and use a long list of policies over time, managing these policies efficiently becomes of paramount importance. Next, we will move on to the topic of policy evaluation.