Writing Simple IAM Policies
S3 bucket use case
- Give Permissions to user for S3 (Service Level Access)
- Deny Permission to user on some bucket (Resource Level Access)
- Give Permission to the user on s3 to read but not to write or delete or create
Service Level Policies
- It applies to all the resources under that service. (Consider Use case 1)
- For every aws resource, we have an unique ARN and in the case of Service Level Access i can assume resource as * (Any thing)
- Usecase 3 speaks about Service Level Access, BUt there are action based Restrictions
Terms
- Service : Amazons offfering
- Resource: Whatever user Creates
- Actions: Different Operations of Resource
Considerations To Write Policy
- Policy Grammar
- Which Service are you writing the policy aroung
- Is the Resource Specific.
- What are all the possible actions of this resource
IAM Policy for Usecase 1
- To Get all the actions google
aws iam <service> actions, in this case i will be querying with aws iam s3 actions
{
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*"
}
]
}
- To give Readonly access add the necessary actions to Statement => Action list
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Describe*",
"s3:List*"
],
"Resource": "*"
}
]
}
- To Give Readonly on one resource and write on all others.
- First findout ARN for that Resource. google
aws s3 arn
- Test this for read only on one bucket
{
"Version" : "2012-10-17",
"Statement": [
{
"Resource": "arn:aws:s3:::qt-s3-new-testing",
"Effect": "Deny",
"Action": [
"s3:AbortMultipartUpload", "s3:Create*",
"s3:Delete*", "s3:ObjectOwnerOverrideToBucketOwner",
"s3:Put*", "s3:Replicate*","s3:Restore*", "s3:Replicate*",
]
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*"
}
]
}
Like this:
Like Loading...
