Access Management

Access is managed by creating policies and attaching them to IAM identities or resources.


A policy is an object that when associated with an identity or resource defines their permissions. Permissions in the policies determine if the request is permitted or denied. Policies are stored in JSON format. ECS IAM enables creation, modification, listing, assigning, and deletion of policies on an identity or resource.

The following policy types are supported:

Table 1. Policy types
Policies Description
Identity-based policies Policies that are assigned to users, groups, and roles which grant permissions to an identity.
  • Inline Policies
  • Managed Policies (Both ECS and Customer managed)
Resource-based policies These are inline policies that are assigned to an ECS resource that grants specified principal permission to perform specific action on the resource.
  • Bucket Policy - Tweaked existing support for bucket policies to support IAM use cases.
  • Trust Policy - Is a resource-based policy that is attached to an IAM role. Trust policies identify the principal entities that can assume the role.
Permission Boundaries Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
Session policies Session policies are used with AssumeRole and AssumeRoleWithSAML APIs. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.
Access Control Lists (ACLs) Tweaked existing ECS ACLs on buckets and objects to support IAM use cases. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.

ECS IAM protects the following resources:

  • Object Head API
    • S3 (buckets and objects)
  • STS APIs
    • AssumeRole (Provides temporary credentials for cross account access)
    • AssumeRoleWithSAML (Provides temporary credentials for SAML authenticated users)


Access control lists enable to manage access to objects and buckets. An ACL is attached to all objects and buckets.