AWS Classroom Series – 08/Nov/2019

IAM Policies

  • Not Action:
    • All actions but the specified Actions
    • Eg: Deny write actions on s3
      • Not Action : ["s3:Put*"], Effect: "Allow"
  • Not Resource
    • All resources apart from specified resources
    • Eg: Deny Access to only specific s3 bucket
      • Not Resource: "specific s3 arn", Effect: "Allow"

Exercise

  • Create a IAM Policy which allows to
    • Do any thing on s3 bucket
    • Read, List ec2 machines (Ec2 Readonly)
    • Read, List RDS
  • Solution:
    • Create a policy by combining statements from ec2 readonly, rds readonly and s3 fullaccess
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
		{
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudwatch:GetMetricStatistics",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy to give s3 full access to all resources but deny permission to one bucket "qt-iam-learning". ec2 readonly access, but start, stop and terminate to one ec2 machine
{
    "Version": "2012-10-17",
    "Statement": [
		{
			"Effect": "Allow",
			"Action": ["ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances"],
			"Resource": "arn:aws:ec2:us-west-2:798279872530:instance/i-0a4a6259ceab6c6b1"
		}
		,
		{
			"Effect": "Deny",
			"Action": "*",
			"Resource": "arn:aws:s3:::qt-s3-learn-again"
		},
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
		{
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}
  • Create an IAM Policy for the user which gives full access for user to s3, ec2 and rds in Oregon (us-west-2) and deny access on all other regions

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%