Can I do that with policy? Understanding the AWS Service Authorization Reference

This article explains how to use the AWS Service Authorization Reference to determine what IAM policies can and cannot control, and when alternative solutions are needed.

• IAM policies make decisions based only on information available in the authorization context at API call time
• The Service Authorization Reference documents all controllable actions, resources, and condition keys for each AWS service
• Condition keys are divided into global keys (cross-service) and service-specific keys
• Example: S3 PutObject can enforce AES256 encryption via s3:x-amz-server-side-encryption condition key
• Example: EC2 RunInstances can restrict instance types by cost center using aws:PrincipalTag and ec2:InstanceType
• Example: DynamoDB fine-grained access using dynamodb:LeadingKeys to restrict items by username
• Security group CIDR blocks, Lambda memory limits, and port restrictions cannot be controlled with IAM policies alone
• Alternative solutions include AWS Config, EventBridge, Lambda automation, CloudFormation Hooks, and Service Catalog
• Effective security requires layering preventive, detective, and responsive controls together

Use the Service Authorization Reference as your authoritative source to determine policy feasibility before implementing security controls.