Support Center > Search Results > SecureKnowledge Details
CloudGuard Dome9 AWS Element: IAM Policy
Solution

AWS IAM policy is a complex element that can be built in many methods. Dome9 is based on AWS APIs, and the entities used in the rule engine are build based on result structure that is returned by those APIs.

This document provides high level structure of the policy element.

For a complete reference of the structure and grammar of IAM Policies see AWS documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf

For a complete reference on the IAM JSON Policy Elements see AWS Documentation: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html. This guide includes references to all the different elements that may be included in a policy: Principal, Action and more.

policy

Attribute Name
Type
Description
Values
Comments
Version string Version of the policy   Example: "2012-10-17"
Statement [statement] List of policy statements    

statement

Attribute(s) Name
Type(s)
Description
Values
Comments
Sid string Statement Id   Example: AWSCloudTrailAclCheck20150319
Effect string The effect when the user requests the specific action allow
deny
 
Principal

{principal}

Specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource    
NotPrincipal {principal} Specifies an exception to a list of principals    

Action

 

string
[string]

Action or list of action to be performed when the operation is invoked.

 

Examples:

  • "Action": "s3:*"
  • "Action": [ "ec2:StartInstances", "iam:ChangePassword", "s3:GetObject" ]
NotAction string
[string]
NotAction represents the exception in matches.  

Example: "NotAction": "s3:DeleteBucket"

Resource

string
[string]

Specifies the object or objects that the statement covers.

Statements must include either a Resource or a NotResource element

 

Examples:

  • "Resource": "arn:aws:s3:::my_corporate_bucket/*"
  • "Resource": [ "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/books_table", "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/magazines_table" ]
NotResource string
[string]
Specifies the object or objects that are match exceptions to the list of resources  

Example: "NotResource": [ "arn:aws:s3:::HRBucket/Payroll", "arn:aws:s3:::HRBucket/Payroll/*" ]

Condition {condition} Map of conditions for when a policy is in effect    

principal

One of the following attributes can be used as principal:

Attribute Name
Type(s)
Description
Values
Comments
AWS

string
[string]

AWS Account  

Example: "AWS": "arn:aws:iam::AWS-account-ID:root"

Federated

string
[string]

Federated User   Example: "Federated": "arn:aws:iam::AWS-account-ID:saml-provider/provider-name"
Service string
[string]
The relevant service   Example: cloudtrail.amazonaws.com

condition

Attribute Name
Type
Description
Values
Comments
Condition {condition-entry} IAM condition entry    

condition-entry

Attribute Name
Type
Description
Values
Comments
key string IAM condition key   Example: aws:MultiFactorAuthPresent
value string IAM condition value   Example: true

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment