Skip to content

IAM Policy Evaluation

πŸ” 1. IAM Permission Boundaries

Permission boundaries are like a "maximum allowed boundary" for what a user or role can do, even if their policies allow more.

🧠 Think of it like:

πŸ›‚ "Even if your policy allows you to enter any room, you can only enter rooms in this building."

βœ… Use Case:

Say you want a developer to create EC2 instances, but only in us-east-1, even if they attach policies that allow global EC2 use.

πŸ› οΈ Example: Permission Boundary

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
        }
      }
    }
  ]
}

πŸ”’ This boundary limits all permissions to EC2 actions only in us-east-1, no matter what policies are attached to the role.

πŸ” 2. IAM Policy Evaluation Logic

IAM evaluates permissions in 5 steps:

🚦 Step-by-Step Policy Evaluation

IAM Policy Evaluation Logic

Step Description
1️⃣ Combine all policies (IAM, SCPs, session, permission boundaries, resource-based)
2️⃣ Start with implicit deny (no access unless allowed)
3️⃣ Look for explicit allow ("Effect": "Allow")
4️⃣ Check for explicit deny ("Effect": "Deny") β€” this always wins
5️⃣ Apply conditions (aws:RequestedRegion, aws:SourceIp, etc.)

πŸ§ͺ Example Flow

Let’s say a user tries to delete an S3 object.

  • βœ… User Policy: "s3:DeleteObject" is allowed

  • 🚫 Permission Boundary: only allows "s3:GetObject"

  • ❌ Final Decision: Access denied (permission boundary blocks it)

πŸ“Š Visualization

      +--------------------------+
      | Step 1: Combine policies |
      +-----------+--------------+
                  |
                  v
      +--------------------------+
      | Step 2: Implicit Deny    |
      +--------------------------+
                  |
      +--------------------------+
      | Step 3: Is Allow present?|
      +--------------------------+
                  |
                  v
      +--------------------------+
      | Step 4: Is Deny present? | ---> Yes? => ❌ Denied
      +--------------------------+
                  |
      +--------------------------+
      | Step 5: Evaluate Conditions |
      +--------------------------+
                  |
                  v
              βœ… Final Answer

πŸš€ Quick Summary

Concept What it does
Permission boundary Sets a maximum limit on what a role/user can do
Policy evaluation logic IAM checks all policies and explicit deny always wins
Conditions Used to fine-tune access like region, IP, tags