Within IAM very similarly to AD you can assign policies to groups which propagate to users, if you want to have a policy apply to just one user you use an in-line policy. A policy is structured like so
{
“Version”: “2012-10-17”,
“Id”: “ExamplePolicy”,
“Statement”: [
{
“Sid”: “ExampleStatement”,
“Effect”: “Allow”,
“Action”: “s3:GetObject”,
“Principal”: “*”,
“Resource”: “arn:aws:s3:::example-bucket/*”,
“Condition”: {
“Bool”: {
“aws:MultiFactorAuthPresent”: “true”
}
}
}
]
}
Let’s break it down, you first have your version, this is the version of the policy language. As you can see it hasn’t been updated in some time. Next up is the ID, this is optional, it is the identifier for the policy. You will need at least one or more statements for your policy. Within the statement you have the SID, this is optional, this is the identifier for the statement. The effect determines whether the policy is allowing or denying certain permissions. The principal is which account, user, or role the policy is assigned to. Action is the list of actions the policy approves or denies based on the effect. The resource is what the actions are applied to. Then finally there’s the condition, this is optional, which provided conditions that must be met for policy to be in effect.