Resource-based Policy
A type of policy in AWS that specifies permissions attached directly to a resource, allowing access to that resource by other AWS accounts or services.
Description
In the AWS ecosystem, a Resource-based Policy is a JSON document that defines permissions for a specific AWS resource, such as an S3 bucket, Lambda function, or SNS topic. Unlike identity-based policies that are attached to users, groups, or roles, resource-based policies are directly associated with the resource itself. This approach allows for more granular control over who can access the resource and what actions they can perform. For instance, an S3 bucket policy can grant permissions to users from different AWS accounts to read or write data to the bucket, while an SNS topic policy can allow different AWS services to publish messages to the topic. Resource-based policies enhance security and flexibility, enabling organizations to share resources across accounts without compromising their security posture. By properly defining these policies, AWS users can ensure that only authorized entities access sensitive resources, thus adhering to the principle of least privilege.
Examples
- An S3 bucket policy that allows a specific IAM user from another AWS account to read objects in the bucket.
- An SNS topic policy that permits AWS Lambda functions from different accounts to publish messages to the topic.
Additional Information
- Resource-based policies can be used in combination with identity-based policies for comprehensive access control.
- Commonly used in multi-account AWS environments to facilitate cross-account access while maintaining security.