March 20th, 2018
Building Better IAM Policies with the Visual Editor
By Jameson Ricks

Intro

Identity and Access Management (IAM) can be a tricky service to master. Here are just a few of the many questions you may have when creating IAM policies:

  • What permissions are available for each service?
  • What resources do those permissions interact with?
  • Do I really have to define my permissions in JSON?

In the past, IAM policies have been written using JSON. In addition to making sure you had the correct permissions in your policy, you needed to ensure your syntax was correct. Syntax can be very tricky when editing JSON policies. An extra comma or missing bracket can easily throw you off—especially if you are creating a large policy.

While you can still create policies this way, AWS has recently introduced a Visual Editor to aid you in creating and modifying IAM policies. As stated in the announcement post on the AWS blog, the new visual editor “makes it easier to grant least privilege for the AWS service actions you select by listing all the supported resource types and request conditions you can specify.” Simply put, the Visual Editor allows you to build better policies by enabling you to visually see what actions apply to which resources.

A Virtual Tour

By default, Amazon now presents the visual editor when you create or edit a policy. If you are creating a new policy, you are presented with a form to select a Service.
From there, you can select different Actions. You can filter actions by name if you already know what you’re looking for, but if not, Amazon has group permissions by access level. These are usually List, Read, and Write. You can peruse through each permission and select ones that you need.

If you have a question about what a specific permission allows, you can press the “?” button next to the permission and the documentation will open in a sidebar.

Once you’re done selecting your permissions, the Visual Editor will let you know if any of your permissions support specific resources.

From here you can choose to allow all resources or you can be specific. By clicking Add ARN, you will be presented with a dialog that helps you easily construct the ARN for a target resource.

You can also specify supported conditions.

Once you’re done with permissions for a specific service, you can click the Add additional permissions button to add more permissions for other services.

Once you’re finished building your policy, hit the Review policy button. The Visual Editor will let you know if you have any issues and give you some warnings in the Summary section. If you are satisfied, you can click Create Policy.

Wrapping up

Congratulations! You just created an IAM policy without writing a single snippet of JSON! Thanks to the new Visual Editor, you can quickly and easily build better IAM policies by having quick access to permissions available for a certain resource and the documentation associated with each permission. You don’t have to get lost in the code to build great IAM policies!