Resource control policies (RCPs) use a similar syntax to that used by resource-based policies. For more information about IAM policies and their syntax, see Overview of IAM Policies in the IAM User Guide.
An RCP is structured according to the rules of JSON. It uses the elements that are described in this topic.
NoteAll characters in your RCP count against its maximum size. The examples in this guide show the RCPs formatted with extra white space to improve their readability. However, to save space if your policy size approaches the maximum size, you can delete any white space, such as space characters and line breaks that are outside quotation marks.
For general information about RCPs, see Resource control policies (RCPs).
Elements summaryThe following table summarizes the policy elements that you can use in RCPs.
NoteThe effect of Allow is only supported for the RCPFullAWSAccess policy
The effect of Allow is only supported for the RCPFullAWSAccess policy. This policy is automatically attached to the organization root, every OU, and every account in your organization, when you enable resource control policies (RCPs). You cannot detach this policy. This default RCP allows all principals and actions access to pass through RCP evaluation, meaning until you start creating and attaching RCPs, all your existing IAM permissions continue to operate as they did. This does not grant access.
Specifies AWS service and actions that the RCP allows or denies.
Resource Specifies the AWS resources that the RCP applies to. NotResourceSpecifies the AWS resources that are exempt from the RCP. Used instead of the Resource element.
Version element
Every RCP must include a Version element with the value "2012-10-17". This is the same version value as the most recent version of IAM permission policies.
"Version": "2012-10-17",For more information, see IAM JSON Policy Elements: Version in the IAM User Guide.
Statement element
An RCP consists of one or more Statement elements. You can have only one Statement keyword in a policy, but the value can be a JSON array of statements (surrounded by [ ] characters).
The following example shows a single statement that consists of single Effect, Principal, Action, and Resource elements.
{
"Statement": {
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "*"
}
}For more information, see IAM JSON Policy Elements: Statement in the IAM User Guide.
Statement ID (Sid) element
The Sid is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. The following example RCP shows a sample Sid statement.
{
"Statement": {
"Sid": "DenyAllActions",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "*"
}
}For more information, see IAM JSON Policy Elements: Sid in the IAM User Guide.
Effect element
Each statement must contain one Effect element. Using the value of Deny in the Effect element, you can restrict access to specific resources or define conditions for when RCPs are in effect. For RCPs that you create, the value must be Deny. For more information, see RCP evaluation and IAM JSON Policy Elements: Effect in the IAM User Guide.
Principal element
Each statement must contain the Principal element. You can only specify â*â in the Principal element of an RCP. Use the Conditions element to restrict specific principals.
For more information, see IAM JSON Policy Elements: Principal in the IAM User Guide.
Action element
Each statement must contain the Action element.
The value for the Action element is a string or list (a JSON array) of strings that identify AWS services and actions that are allowed or denied by the statement.
Each string consists of the abbreviation for the service (such as "s3", "sqs", or "sts"), in all lowercase, followed by a colon and then an action from that service. Generally, they are all entered with each word starting with an uppercase letter and the rest lowercase. For example: "s3:ListAllMyBuckets".
You also can use wildcard characters such as asterisk (*) or question mark (?) in an RCP:
Use an asterisk (*) as a wildcard to match multiple actions that share part of a name. The value "s3:*" means all actions in the Amazon S3 service. The value "sts:Get*" matches only the AWS STS actions that begin with "Get".
Use the question mark (?) wildcard to match a single character.
Wildcards (*) and question marks (?) can be used anywhere in the action name
Unlike with SCPs, you can use wildcard characters such as asterisk (*) or question mark (?) anywhere in the action name.
For a list of the services that support RCPs, see List of AWS services that support RCPs. For a list of the actions an AWS service supports, see Actions, Resources, and Condition Keys for AWS Services in the Service Authorization Reference.
For more information, see IAM JSON Policy Elements: Action in the IAM User Guide.
Resource and NotResource elements
Each statement must contain the Resource or NotResource element.
You can use wildcard characters such as asterisk (*) or question mark (?) in the resource element:
Use an asterisk (*) as a wildcard to match multiple resources that share part of a name.
Use the question mark (?) wildcard to match a single character.
For more information, see IAM JSON Policy Elements: Resource and see IAM JSON Policy Elements: NotResource in the IAM User Guide.
Condition element
You can specify a Condition element in deny statements in an RCP.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:SecureTransport": "false"
}
}
}
]
}
This RCP denies access to Amazon S3 operations and resources unless the request occurs over secure transport (the request was sent over TLS).
For more information, see IAM JSON Policy Elements: Condition in the IAM User Guide.
Unsupported elementsThe following elements are not supported in RCPs:
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4