AWS Classroom Series – 08/Nov/2019

IAM Policies

  • Not Action:
    • All actions but the specified Actions
    • Eg: Deny write actions on s3
      • Not Action : ["s3:Put*"], Effect: "Allow"
  • Not Resource
    • All resources apart from specified resources
    • Eg: Deny Access to only specific s3 bucket
      • Not Resource: "specific s3 arn", Effect: "Allow"

Exercise

  • Create a IAM Policy which allows to
    • Do any thing on s3 bucket
    • Read, List ec2 machines (Ec2 Readonly)
    • Read, List RDS
  • Solution:
    • Create a policy by combining statements from ec2 readonly, rds readonly and s3 fullaccess
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
		{
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy to give s3 full access to all resources but deny permission to one bucket "qt-iam-learning". ec2 readonly access, but start, stop and terminate to one ec2 machine
{
    "Version": "2012-10-17",
    "Statement": [
		{
			"Effect": "Allow",
			"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"],
			"Resource": "arn:aws:ec2:us-west-2:798279872530:instance/i-0a4a6259ceab6c6b1"
		}
		,
		{
			"Effect": "Deny",
			"Action": "*",
			"Resource": "arn:aws:s3:::qt-s3-learn-again"
		},
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy for the user which gives full access for user to s3, ec2 and rds in Oregon (us-west-2) and deny access on all other regions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner