AWS Classroom Series – 15/Apr/2021

IAM Policy Grammar

  • Refer Here for the official documentation
  • Basic policy skeleton
{
    "Version" : "2012-10-17",
    "Statement": [
        {
            "Principal": ,
            "Effect": "Allow|Deny",
            "Action": []
        }
    ]
}
  • Lets look at some aws managed policy json
    • Administrator access: Since Action is * and Resource is * i.e. all actions on all resources with Effect Allow Preview
    • ec2readonly:
      • json:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}
      • In this case teh actions autoscaling:Describe*, ec2:Describe* and some more read actions are alloweda
  • In IAM policy if there is an action which is not specified is denied by default.
  • To write the policies effectively we need to know the actions available in AWS
  • Refer Here and navigate to topics
  • Scenario 1: Lets write an iam policy which gives a principal access on all aws ec2 resources and aws s3 resources
    • ec2 Refer Here. Refer Here for the ec2 actions
    • actions in this page will have a prefix of ec2: for eg: ec2:AttachNetworkInterface, ec2:AttachVolume
    • The resources which we create in ec2 are Refer Here
    • For any resource that can be created in AWS we have a unique ARN (Amazon Resource Name)
    • Refer Here for the policy created
    • Now create an IAM policy using this json Preview Preview Preview Preview
    • For testing policies lets create an iam user with the policy created above attached Preview Preview Preview
    • Login into aws as this test user
      • This user should be able to perform any operations on ec2 and s3
      • When this user tries to access any other service the actions will be denied as the user doesnot have permissions
    • To test iam policies we can use policy simulator Refer Here
    • Navigate to Refer Here Preview
  • Scenario 2: Create an IAM policy to perform
    • all the read actions on s3 bucket
    • all the actions on rds
    • Refer Here for the policy and play with policy simulator.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Widget by Acurax Small Business Website Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube