Breaking down a Policy:
https://start.jcolemorrison.com/aws-iam-policies-in-a-nutshell/
E.g.
Version: just use "Version": "2012-10-17"
Statement: the meat of the Policy
The Statement contains:
Effect: Allow or Deny
Principal: Who
Notes:
- if we’re attaching Policies to IAM users, groups or roles then
Principal
isn’t needed as the policy assumes the user, group or role is thePrincipal
- differences between attaching a policy to an IAM user vs a resource (e.g. S3 or EC2):
- if it’s with the user, we check the policy and are done
- if it’s with the resource then we need to have a Principal to make sure who’s allowed this resource