AWS IAM: Console vs Access Key Policies

TL;DR

This guide shows you how to create AWS IAM policies that grant different permissions depending on whether someone is accessing AWS through the console (GUI) or using access keys (programmatically, like with the CLI or SDKs). This improves your security by limiting what an access key can do compared to a user logged in via the console.

Creating Console vs Access Key Policies

1. Understand Service Prefixes: AWS uses service prefixes (e.g., ec2, s3) in policy ARNs. These are crucial for targeting specific services.
2. Identify the Action: Determine which actions you want to restrict based on access method. For example, you might allow listing S3 buckets through the console but not deleting objects with an access key.
3. Create a Policy for Console Access: This policy will grant broad permissions for users accessing AWS via the console.
   • Go to the IAM service in the AWS Management Console.
   • Click ‘Policies’ then ‘Create policy’.
   • Choose the ‘JSON’ tab and paste a policy like this (adjusting resource ARNs as needed):

     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Action": [
             "ec2:Describe*",
             "s3:ListBucket",
             "iam:GetUser"
           ],
           "Resource": "*"
         }
       ]
     }

   • Give the policy a descriptive name (e.g., ConsoleAccessPolicy) and create it.
4. Create a Policy for Access Key Access: This policy will grant limited permissions for access keys.
   • Repeat step 3, but with a more restrictive JSON policy. For example:

     {
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Action": [
             "s3:GetObject",
             "ec2:DescribeInstances"
           ],
           "Resource": "*"
         }
       ]
     }

   • Name this policy something like AccessKeyPolicy and create it.
5. Create an IAM User or Role: This is the entity that will be granted the policies.
   • In the IAM console, go to ‘Users’ or ‘Roles’.
   • Create a new user/role.
6. Attach Policies to User/Role: This is where you differentiate access.
   • When creating the user/role, attach both ConsoleAccessPolicy and AccessKeyPolicy.
   • If a user needs console access *only*, attach only ConsoleAccessPolicy.
   • If a user needs access key access *only*, attach only AccessKeyPolicy (and disable console access – see step 7).
7. Disable Console Access (Optional): To prevent users with access keys from using the console, set their password to ‘Disabled’ in IAM. This forces them to use access keys.
   • Edit the user in the IAM console.
   • Set ‘Password’ to ‘Disabled’.
8. Test Your Policies: Thoroughly test both console and access key access to ensure permissions are working as expected. Use the AWS CLI with the access key to verify restrictions.

   aws s3 ls

Important Considerations

• Least Privilege: Always grant only the minimum necessary permissions. Avoid using Resource": "*" in production policies; specify specific ARNs whenever possible.
• Regular Review: Regularly review your IAM policies to ensure they remain appropriate and secure.
• IAM Access Analyzer: Use IAM Access Analyzer to identify potential security risks in your policies.