kevinhakanson.com

AWS Identity-Based, Resource-Based, Resource-Level, and Tag-Based Permissions

April 25, 2017 #aws #iam

In Overview of AWS IAM Permissions - AWS Identity and Access Management, they introduce identity-based and resource-based permissions:

Permissions can be assigned in two ways: as identity-based or as resource-based.

They also introduce the concept of resource-level permissions.

There’s a difference between resource-based permissions and resource-level permissions. Resource-based permissions are permissions you can attach directly to a resource, as described in this topic. Resource-level permissions refers to the ability to specify not just what actions users can perform, but which resources they’re allowed to perform those actions on.

Resource-based permissions are being looked at to secure S3 and KMS, but not all services support these inline policies.

Resource-based permissions are supported only by some AWS services. For a list of which services support resource-level permissions, see AWS Services That Work with IAM.

There is also the concept of tag-based permissions for those services that support testing resource tags in a Condition element.  However, in the list linked above, hardly any of the services support this.