Struct IAMStatement

Source

pub struct IAMStatement {
    pub sid: Option<String>,
    pub effect: Effect,
    pub principal: Option<Principal>,
    pub not_principal: Option<Principal>,
    pub action: Option<Action>,
    pub not_action: Option<Action>,
    pub resource: Option<Resource>,
    pub not_resource: Option<Resource>,
    pub condition: Option<ConditionBlock>,
}

Expand description

Represents a single statement in an IAM policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html

Fields§

§sid: Option<String>

Optional statement ID

You can provide a Sid (statement ID) as an optional identifier for the policy statement. You can assign a Sid value to each statement in a statement array. You can use the Sid value as a description for the policy statement.

In services that let you specify an ID element, such as AWS SQS and AWS SNS, the Sid value is just a sub-ID of the policy document ID. In IAM, the Sid value must be unique within a JSON policy.

The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html

§effect: Effect

The effect of the statement (Allow or Deny)

The Effect element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are Allow and Deny. The Effect value is case sensitive.

By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow. To override an allow (for example, to override an allow that is otherwise in force), you set the Effect element to Deny.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html

§principal: Option<Principal>

Optional principal(s) - who the statement applies to

Use the Principal element in a resource-based JSON policy to specify the principal that is allowed or denied access to a resource.

You must use the Principal element in resource-based policies. You cannot use the Principal element in an identity-based policy.

Identity-based policies are permissions policies that you attach to IAM identities (users, groups, or roles). In those cases, the principal is implicitly the identity where the policy is attached.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

§not_principal: Option<Principal>

Optional not principal(s) - who the statement does not apply to

The NotPrincipal element uses “Effect”:“Deny” to deny access to all principals except the principal specified in the NotPrincipal element. A principal can usually be a user, federated user, role, assumed role, account, service, or other principal type.

NotPrincipal must be used with "Effect":"Deny". Using it with "Effect":"Allow" is not supported.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

§action: Option<Action>

Optional action(s) - what actions are allowed/denied

The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element. Each service has its own set of actions that describe tasks that you can perform with that service.

For example:

the list of actions for Amazon S3 can be found at Specifying Permissions in a Policy in the Amazon Simple Storage Service User Guide
the list of actions for Amazon EC2 can be found in the Amazon EC2 API Reference
the list of actions for AWS Identity and Access Management can be found in the IAM API Reference

To find the list of actions for other AWS services, consult the API reference documentation for the service. For non-AWS services, consult the service documentation for the actions that are supported by that service.

You specify a value using a service namespace as an action prefix (iam, ec2, sqs, sns, s3, etc.) followed by the name of the action to allow or deny. The name must match an action that is supported by the service. The prefix and the action name are case insensitive. For example, iam:ListAccessKeys is the same as IAM:listaccesskeys.

The following examples show Action elements for different services:

Action: "sqs:SendMessage" - allows the SendMessage action on SQS.
Action: "ec2:StartInstances" - allows the StartInstances action on EC2.
Action: "iam:ChangePassword" - allows the ChangePassword action on IAM.
Action: "s3:GetObject" - allows the GetObject action on S3.

You can specify multiple values for the Action element:

Action: [ "sqs:SendMessage", "sqs:ReceiveMessage", "ec2:StartInstances", "iam:ChangePassword", "s3:GetObject" ]

You can use wildcards to match multiple actions:

Action: "s3:*" - allows all actions on S3.

You can also use wildcards (* or ?) as part of the action name. For example, the following Action element applies to all IAM actions that include the string AccessKey, including CreateAccessKey, DeleteAccessKey, ListAccessKeys, and UpdateAccessKey:

"Action": "iam:*AccessKey*"

Some services let you limit the actions that are available. For example, Amazon SQS lets you make available just a subset of all the possible Amazon SQS actions. In that case, the * wildcard doesn’t allow complete control of the queue; it allows only the subset of actions that you’ve shared.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

§not_action: Option<Action>

Optional not action(s) - what actions are not covered

NotAction is an advanced policy element that explicitly matches everything except the specified list of actions. Using NotAction can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match.

Actions specified in NotAction are not impacted by the Allow or Deny effect in a policy statement. This, in turn, means that all of the applicable actions or services that are not listed are allowed if you use the Allow effect. In addition, such unlisted actions or services are denied if you use the Deny effect.

When you use NotAction with the Resource element, you provide scope for the policy. This is how AWS determines which actions or services are applicable.

For more information, see the following example policy.

§`NotAction` with Allow

You can use the NotAction element in a statement with "Effect": "Allow" to provide access to all of the actions in an AWS service, except for the actions specified in NotAction. You can use it with the Resource element to provide scope for the policy, limiting the allowed actions to the actions that can be performed on the specified resource.

Example: Allow all S3 actions except deleting a bucket:

"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::*"

Example: Allow all actions except IAM:

"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"

Be careful using NotAction with "Effect": "Allow" as it could grant more permissions than intended.

§`NotAction` with Deny

You can use the NotAction element in a statement with "Effect": "Deny" to deny access to all of the listed resources except for the actions specified in NotAction. This combination does not allow the listed items, but instead explicitly denies the actions not listed.

Example: Deny all actions except IAM actions if not using MFA:

{
    "Sid": "DenyAllUsersNotUsingMFA",
    "Effect": "Deny",
    "NotAction": "iam:*",
    "Resource": "*",
    "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

§resource: Option<Resource>

Optional resource(s) - what resources the statement applies to

The Resource element specifies the object(s) that the statement applies to.

You must include either a Resource or a NotResource element in a statement.

You specify a resource using an Amazon Resource Name (ARN). The ARN format depends on the AWS service and the specific resource. For more information about ARNs, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns

Some AWS services do not support resource-level permissions. In those cases, use the wildcard character (*) in the Resource element.

Examples:

Specific SQS queue: "Resource": "arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1"
Specific IAM user (user name is case sensitive): "Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob"

§Using wildcards in resource ARNs

You can use wildcard characters (* and ?) within the individual segments of an ARN (the parts separated by colons) to represent:

Any combination of characters (*)
Any single character (?)

You can use multiple * or ? characters in each segment. If the * wildcard is the last character of a resource ARN segment, it can expand to match beyond the colon boundaries. It is recommended to use wildcards within ARN segments separated by a colon.

Note: You can’t use a wildcard in the service segment that identifies the AWS product.

§Examples

All IAM users whose path is /accounting:

"Resource": "arn:aws:iam::account-ID-without-hyphens:user/accounting/*"

All items within a specific Amazon S3 bucket:

"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"

Wildcards can match across slashes and other characters:

"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*/test/*"

This matches:

amzn-s3-demo-bucket/1/test/object.jpg
amzn-s3-demo-bucket/1/2/test/object.jpg
amzn-s3-demo-bucket/1/2/test/3/object.jpg
amzn-s3-demo-bucket/1/2/3/test/4/object.jpg
amzn-s3-demo-bucket/1///test///object.jpg
amzn-s3-demo-bucket/1/test/.jpg
amzn-s3-demo-bucket//test/object.jpg
amzn-s3-demo-bucket/1/test/

But does not match:

amzn-s3-demo-bucket/1-test/object.jpg
amzn-s3-demo-bucket/test/object.jpg
amzn-s3-demo-bucket/1/2/test.jpg

§Specifying multiple resources

You can specify multiple resources in the Resource element by using an array of ARNs:

"Resource": [
    "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/books_table",
    "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/magazines_table"
]

§Using policy variables in resource ARNs

You can use JSON policy variables in the part of the ARN that identifies the specific resource. For example:

"Resource": "arn:aws:dynamodb:us-east-2:account-id:table/${aws:username}"

This allows access to a DynamoDB table that matches the current user’s name.

For more information about JSON policy variables, see IAM policy elements: Variables and tags.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

§not_resource: Option<Resource>

Optional not resource(s) - what resources are not covered

NotResource is an advanced policy element that explicitly matches every resource except those specified. Using NotResource can result in a shorter policy by listing only a few resources that should not match, rather than including a long list of resources that will match. This is particularly useful for policies that apply within a single AWS service.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

§condition: Option<ConditionBlock>

Optional conditions for the statement

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional.

In the Condition element, you build expressions in which you use condition operators (equal, less than, and others) to match the context keys and values in the policy against keys and values in the request context. To learn more about the request context, see Components of a request.

"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

The context key that you specify in a policy condition can be a global condition context key or a service-specific context key.

Global condition context keys have the aws: prefix.
Service-specific context keys have the service’s prefix.

For example, Amazon EC2 lets you write a condition using the ec2:InstanceType context key, which is unique to that service.

Context key names are not case-sensitive. For example, including the aws:SourceIP context key is equivalent to testing for AWS:SourceIp. Case-sensitivity of context key values depends on the condition operator that you use. For example, the following condition includes the StringEquals operator to make sure that only requests made by john match. Users named John are denied access.

"Condition" : { "StringEquals" : { "aws:username" : "john" }}

The following condition uses the StringEqualsIgnoreCase operator to match users named john or John.

"Condition" : { "StringEqualsIgnoreCase" : { "aws:username" : "john" }}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

Struct IAMStatementCopy item path

Fields§

§NotAction with Allow

§NotAction with Deny

§Using wildcards in resource ARNs

§Examples

§Specifying multiple resources

§Using policy variables in resource ARNs

Implementations§

impl IAMStatement

pub fn new(effect: Effect) -> Self

pub fn with_sid<S: Into<String>>(self, sid: S) -> Self

pub fn with_principal(self, principal: Principal) -> Self

pub fn with_action(self, action: Action) -> Self

pub fn with_resource(self, resource: Resource) -> Self

pub fn with_condition( self, operator: Operator, key: String, value: Value, ) -> Self

pub fn with_condition_struct(self, condition: Condition) -> Self

Trait Implementations§

impl Clone for IAMStatement

fn clone(&self) -> IAMStatement

fn clone_from(&mut self, source: &Self)

impl Debug for IAMStatement

fn fmt(&self, f: &mut Formatter<'_>) -> Result

impl<'de> Deserialize<'de> for IAMStatement

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where __D: Deserializer<'de>,

impl PartialEq for IAMStatement

fn eq(&self, other: &IAMStatement) -> bool

fn ne(&self, other: &Rhs) -> bool

impl Serialize for IAMStatement

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>where __S: Serializer,

impl Validate for IAMStatement

fn validate(&self, context: &mut ValidationContext) -> ValidationResult

fn is_valid(&self) -> bool

fn validate_result(&self) -> ValidationResult

impl Eq for IAMStatement

impl StructuralPartialEq for IAMStatement

Auto Trait Implementations§

impl Freeze for IAMStatement

impl RefUnwindSafe for IAMStatement

impl Send for IAMStatement

impl Sync for IAMStatement

impl Unpin for IAMStatement

impl UnwindSafe for IAMStatement

Blanket Implementations§

impl<T> Any for Twhere T: 'static + ?Sized,

fn type_id(&self) -> TypeId

impl<T> Borrow<T> for Twhere T: ?Sized,

fn borrow(&self) -> &T

impl<T> BorrowMut<T> for Twhere T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

impl<T> CloneToUninit for Twhere T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

impl<T> From<T> for T

fn from(t: T) -> T

impl<T, U> Into<U> for Twhere U: From<T>,

fn into(self) -> U

impl<T> ToOwned for Twhere T: Clone,

type Owned = T

fn to_owned(&self) -> T

fn clone_into(&self, target: &mut T)

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

type Error = Infallible

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

impl<T> DeserializeOwned for Twhere T: for<'de> Deserialize<'de>,

Struct IAMStatement

§`NotAction` with Allow

§`NotAction` with Deny

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where __D: Deserializer<'de>,

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

impl<T> Any for T
where T: 'static + ?Sized,

impl<T> Borrow<T> for T
where T: ?Sized,

impl<T> BorrowMut<T> for T
where T: ?Sized,

impl<T> CloneToUninit for T
where T: Clone,

impl<T, U> Into<U> for T
where U: From<T>,

impl<T> ToOwned for T
where T: Clone,

impl<T, U> TryFrom<U> for T
where U: Into<T>,

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,