Policies
- When an AWS Account is created, we get unique Account id
- When any resource is created in AWS , a unique ARN Name is associated
- For every service in AWS, we have predefined actions.
Generic way of writing IAM Policies
- Scenario: Give Users permissions only to create, view ec2 instances
- Create an IAM Policy and attach to the user
- Find out all the available actions on EC2 supported by AWS
- Give Effect as Allow only to create and View EC2 instances
- For all the actions, give effect as deny
- Scenario: Give User Permission to Start, Stop,view and Terminate a particular ec2 instances and for all the other ec2 machines dont give option to start,stop or terminate give only view
- Create an IAM Policy and attach to the user
- Find out all the available actions on EC2 supported by AWS
- Find the ARN of the Ec2 instance
- Now add Effect as ALLOW for Actions View on all Ec2 instances
- Add Effect as ALLOW for actions start,stop and terminate on particular ARN.
AWS Actions
Exercise:
- Create an IAM Policy which gives full access to S3, RDS and EC2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"cloudwatch:*",
"autoscaling:*",
"elasticloadbalancing:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["rds:*","rds-db:*"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "*"
}
]
}
- Create an IAM Policy to allow user to create ec2 machine, view ec2 machines , start and stop ec2 machine also create s3 bucket.
Like this:
Like Loading...
