Access is managed by creating policies and attaching them to IAM identities or resources. A policy is an object that when associated with an identity or resource defines their permissions. ECS IAM enables creation, modification, listing, assignment, and deletion of policies on an identity or resource. The following policy types are supported:
- Identity-based policies—Policies that are assigned to users, groups, and roles that grant permissions to an identity.
- Resource-based policies—Inline policies that are assigned to an ECS resource that grants specified principal permission to perform specific actions on the resource.
- Bucket policies—Resource-based policies, including support for IAM use cases.
- Trust policies—Resource-based policies attached to an IAM role. Trust policies identify the principal entities that can assume the role.
- Permission boundaries—Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
- Session policies—Policies that are used with AssumeRole and AssumeRoleWithSAML APIs. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.
- Access Control Lists (ACLs)—ECS already supports ACLs on buckets and objects. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.