{
	"Statement" : {
		"Effect": "Allow",
		"Principle": {
			...
		},
		"Action": [
			"ec2:*"
		],
		"Resource": [
			"*"
		],
		"Condition": {
			...
		}
	}
}

• Effect: Allow, Deny
• Principle
  • 대상
  • 누가?
  • 예)
    • "Principal": {"AWS": "arn:aws:iam::123456567890:root"}
    • "Principal": {"Federated": "arn:aws:iam::AWS-account-ID:saml-provider/provider-name"}
    • "Principal": {"Federated": "accounts.google.com"}
    • "Principal": {
      • "Service": [
        • "ecs.amazonaws.com",
        • "elasticloadbalancing.amazionaws.com"
      • ]
    • }
• Action
  • 어떤 행위?
  • 예)
    • "Action": "iam:*AccessKey*"
• Resource
  • 무엇을?
  • 예)
    • "Resource": "arn:aws:s3:DOC-EXAMPLE-BUCKET/*/test/*"
• Condition
  • 조건
  • 예)
    • "Condition": { "{condition-operator}" : {  "{condition-key}" : "{condition-value}"  } }

{
	"Version" : "2012-10-17"
	"Statement" : [
		{
			"Sid": "DenyAllButProductManagers",
			"Effect": "Deny".
			"Principal" : {
				"AWS" : "*"
			},
			"Action" : [
				"s3:PutObject"
			],
			"Condition" : {
				"StringNotEquals" : {
					"aws:PrincipalTag/job-title": "Product-Manager"
				}
			}
		}
	]
}