IAM Policies

Breaking down a Policy:



Version: just use "Version": "2012-10-17"

Statement: the meat of the Policy


The Statement contains:

Effect: Allow or Deny

Principal: Who


  • if we’re attaching Policies to IAM users, groups or roles then Principal┬áisn’t needed as the policy assumes the user, group or role is the Principal
  • differences between attaching a policy to an IAM user vs a resource (e.g. S3 or EC2):
    • if it’s with the user, we check the policy and are done
    • if it’s with the resource then we need to have a Principal to make sure who’s allowed this resource





Leave a Reply

Your email address will not be published. Required fields are marked *