AWS Classroom Series – 08/Nov/2019

IAM Policies

  • Not Action:
    • All actions but the specified Actions
    • Eg: Deny write actions on s3
      • Not Action : ["s3:Put*"], Effect: "Allow"
  • Not Resource
    • All resources apart from specified resources
    • Eg: Deny Access to only specific s3 bucket
      • Not Resource: "specific s3 arn", Effect: "Allow"

Exercise

  • Create a IAM Policy which allows to
    • Do any thing on s3 bucket
    • Read, List ec2 machines (Ec2 Readonly)
    • Read, List RDS
  • Solution:
    • Create a policy by combining statements from ec2 readonly, rds readonly and s3 fullaccess
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
		{
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy to give s3 full access to all resources but deny permission to one bucket "qt-iam-learning". ec2 readonly access, but start, stop and terminate to one ec2 machine
{
    "Version": "2012-10-17",
    "Statement": [
		{
			"Effect": "Allow",
			"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"],
			"Resource": "arn:aws:ec2:us-west-2:798279872530:instance/i-0a4a6259ceab6c6b1"
		}
		,
		{
			"Effect": "Deny",
			"Action": "*",
			"Resource": "arn:aws:s3:::qt-s3-learn-again"
		},
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy for the user which gives full access for user to s3, ec2 and rds in Oregon (us-west-2) and deny access on all other regions

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Widget by Acurax Small Business Website Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube