The Power of AWS IAM
AWS IAM is the one service you will use everywhere—but it’s also often seen as one of the most complex. Therefore, it’s important to understand IAM and learn how to harness its power. (You don’t have to become an IAM expert, though—unless you want to, of course!)
The power of AWS IAM lies in roles and policies. Policies define the actions that can be taken on certain resources. For example, a policy could define the permission to put events onto a specific EventBridge event bus. Roles are collections of one or more policies. Roles can be attached to IAM users, but the more common pattern in a modern serverless application is to attach a role to a resource. In this way, an EventBridge rule can be granted permission to invoke a Lambda function, and that function can in turn be permitted to put items into a DynamoDB table.
IAM actions can be split into two categories: control plane actions and data plane actions. Control plane actions, such as PutEvents and GetItem (e.g., used by an auto‐ mated deployment role) manage resources. Data plane actions, such as PutEvents and GetItem (e.g., used by a Lambda execution role), interact with those resources.
Let’s take a look at a simple IAM policy statement and the elements it is composed of:
{
“Sid”: “ListObjectsInBucket”, # Statement ID, optional identifier for
# policy statement
“Action”: “s3:ListBucket”, # AWS service API action(s) that will be allowed
# or denied
“Effect”: “Allow”, # Whether the statement should result in an allow or deny
“Resource”: “arn:aws:s3:::bucket-name”, # Amazon Resource Name (ARN) of the
# resource(s) covered by the statement
“Condition”: { # Conditions for when a policy is in effect
“StringLike”: { # Condition operator
“s3:prefix”: [ # Condition key
“photos/”, # Condition value
]
}
}
}
See the AWS IAM documentation for full details of all the elements of an IAM policy.