๐ Welcome back to the IAM School Series!
In Part 1, we decoded IAM with fun school analogies:
- ๐จโ๐ซ IAM = Principal
- ๐ฉโ๐ Users = Students
- ๐ซ Policies = Hall Passes
- ๐งช AWS Services = Classrooms
This time, we dive into the hidden layers of IAM โ Permission Boundaries, Inline Policies, and the all-powerful Explicit Deny โ the final word from your school's Principal! ๐ซ
๐ช Part 2: โHall Pass Hai, Par Boundary Ke Bahar Nahi Ja Sakta!โ
Ever had this moment?
โPolicy mein allow hai, phir bhi access denied aa raha hai?โ
Welcome to the world of:
- โ Managed vs Inline Policies
- ๐ง Permission Boundaries
- โ Explicit Deny overrides all
Letโs understand it Desi-Style! ๐ฎ๐ณ
๐งฑ IAM Policy Types โ The School Way
| IAM Concept | School Analogy | Purpose |
|---|---|---|
| Managed Policy | Official Hall Pass Booklet | Reusable permission sets for many users |
| Inline Policy | Note from Class Teacher | Custom permission for one specific student |
| Permission Boundary | Principalโs Fence Rule | Max area a student can operate in |
| Explicit Deny | Rulebook says โStrictly Prohibitedโ | Overrides any permission |
๐ซ School Example 1: The Curious Student and The Lab Room
๐จโ๐ Utkarsh, a science student, receives:
๐ An Inline Policy from the Chemistry Teacher:
"Utkarsh can access the Chemistry Lab anytime."๐ง But the Principalโs Boundary Rule says:
"No one is allowed in labs after 5 PM."
๐ Utkarsh tries to enter the lab at 5:30 PM.
๐ซ Access Denied!
Even with permission, the boundary overrides it.
๐ป Real AWS Example 1: EC2 Access Blocked by Boundary
IAM User: dev-user
โ User Policy:
{
"Effect": "Allow",
"Action": "ec2:StartInstances",
"Resource": "*"
}
โ Permission Boundary:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
๐ Result:
Even though the user has EC2 access in their policy, the boundary allows only S3 actions.
๐งฑ Boundary is the boss! ๐
๐ซ School Example 2: Guest Lecturer Blocked by Rules
๐จโ๐ซ Mr. Sharma (a guest lecturer) has:
- ๐๏ธ A visitor pass signed by the Principal (Trust Policy)
- ๐งพ Permission from the subject teacher to teach in Room 7B (Permissions Policy)
But the Rulebook says:
"No guest lecturers allowed during exam week."
โ Result: Access Denied
โ Explicit Deny wins โ always!
๐ป Real AWS Example 2: Lambda + Trust + Deny
๐ Trust Policy (Allows Role Assumption):
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
โ Permissions Policy:
{
"Effect": "Allow",
"Action": "dynamodb:PutItem",
"Resource": "arn:aws:dynamodb:<Region>:<AccountID>:table/StudentData"
}
โ Explicit Deny:
{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*"
}
๐ Result:
Access denied โ even though permissions exist โ because explicit deny overrides all.
๐งพ Inline vs Managed โ Who Gets What?
| Policy Type | School Analogy | Best Use Case |
|---|---|---|
| Managed Policy | Printed Hall Pass for all Sports Students | Reusable across teams or departments |
| Inline Policy | Special Note: "Only Utkarsh can use Art Room" | Unique, user-specific scenarios |
๐ซ School Example 3: Project Day Chaos
๐งโ๐ Aman wants to access the Computer Lab.
- โ Has Managed Policy: "Can access all labs"
- โ Has Inline Policy: "Access only to Computer Lab"
- โ Principal sets Boundary: "Only Bio students allowed in labs today"
๐ Result: โ Access Denied
Boundary wins over all other permissions.
๐ป Real AWS Example 3: S3 Uploads Within Boundaries
IAM User: awslearner
๐ Inline Policy:
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::project-submissions/*"
}
๐ง Permission Boundary:
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::project-submissions/*"
}
โ Access works
Because the action is allowed in both the user policy and the permission boundary.
โ But if the user tried
s3:DeleteObject, it would be denied, as it's not included in the boundary.
๐ง IAM Evaluation Flow โ Principal Ki Marzi
- โ Check userโs policies โ is action allowed?
- โ Is it within permission boundary?
- โ Any explicit deny?
- โ Final result = All above must match โ
๐ IAM is AND logic โ all doors must open.
๐ Summary โ IAM Isnโt Just Hall Passes
| IAM Element | School Equivalent | Notes |
|---|---|---|
| Policy (Managed/Inline) | Hall Pass / Teacher Note | Grants permission |
| Permission Boundary | Principalโs Area Restriction | Sets max what a user can ever do |
| Explicit Deny | Rulebook with โNo Exceptionsโ | Overrides every Allow |
โ Key Takeaways from Part 2
- โ Permissions arenโt enough โ boundaries and denies matter too
- ๐ Inline = user-specific; Managed = reusable
- ๐ Always check boundaries during IAM debugging
- โ Explicit Deny is the final word โ like a strict principal!
๐ Whatโs Next?
๐ฏ Part 3 Coming Soon:
"IAM Roles & STS โ Guest Lecturers & Temporary Access Explained"
Weโll explore:
sts:AssumeRole- Temporary credentials
- Cross-account access (like inter-school guest lectures)
IAM ka syllabus abhi pura nahi hua! ๐งโ๐ซ
Stay tuned โ and remember: โHall pass ke bina entry allowed nahi hai!โ ๐ซ
๐จโ๐ป About Me
Hi! I'm Utkarsh, a Cloud Specialist & AWS Community Builder who loves turning complex AWS topics into fun chai-time stories โ
๐ Explore more
๐ฃ๏ธ Your Feedback = My Fuel
If this made IAM:
- Easy to understand ๐ก
- Fun to learn ๐
- Or gave you a school flashback ๐
Then share it, comment, or just say hi โ it helps me keep the chai warm and the blogs coming! โ๏ธ๐ป
Jai Cloud! Jai Code! Jai IAM! ๐ฎ๐ณ๐
Top comments (3)
I really like the authenticity and the Desi-panna of the Post, Keep posting buddy!!
Thanks Buddy it really motivates me if it help any learners
Some comments may only be visible to logged-in visitors. Sign in to view all comments.