Working with policies in AWS

Policies allow you  to grant access to API events and actions. It’s important to note that everything in AWS is an API, which means. policies control access to all AWS features.

As discussed previously, groups apply policies to a group of users. Each user can have multiple policies / groups which all build up their personal access policy.

In order to test policies, follow the below instructions.

  • Open the IAM console from your AWS dashboard
  • Create a new user and assign him a password
  • Go to another browser and log in as that user
  • Click on EC2 from the dashboard – you should see denied access messages
  • Go back to the IAM dashboard
  • Add the user to one of your administrative groups
  • Reload the page – the user should now have access

We can apply an explicit deny all policy to a user that overrides any of the permissions granted to the user.

  • Go to policies menu item
  • Create own policy
  • Enter the below as policy document


“Version”: “2012-10-17”,
“Effect”: “Deny”,
“Action”: “*”

  • Apply the policy to the user
  • Login with that user – the user should now no longer have access to any AWS functionality. This is because the explicit deny has overridden the group / policy.
  • Go back and view your policy – on this page, you’ll see policy version control. This means we are able to roll back if we wish.
  • If you only want to restrict the user from terminating instances, you could type “ec2-TerminateInstances” into the action section. There are plenty more restrictions you can apply, we will discuss these more in later posts.

NB: The policy simulator will let you test your statements and make sure they restrict the items that you intended.

Image used under creative commons

This article was brought to you by Netshock. Netshock aim to provide technology guides and insight to our readers

Tagged under: