IAM Policy Grammar
- Refer Here for the official documentation
- Basic policy skeleton
{
"Version" : "2012-10-17",
"Statement": [
{
"Principal": ,
"Effect": "Allow|Deny",
"Action": []
}
]
}
- Lets look at some aws managed policy json
- Administrator access: Since Action is * and Resource is * i.e. all actions on all resources with Effect Allow
- ec2readonly:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
- In this case teh actions autoscaling:Describe*, ec2:Describe* and some more read actions are alloweda
- In IAM policy if there is an action which is not specified is denied by default.
- To write the policies effectively we need to know the actions available in AWS
- Refer Here and navigate to topics
- Scenario 1: Lets write an iam policy which gives a principal access on all aws ec2 resources and aws s3 resources
- ec2 Refer Here. Refer Here for the ec2 actions
- actions in this page will have a prefix of ec2: for eg: ec2:AttachNetworkInterface, ec2:AttachVolume
- The resources which we create in ec2 are Refer Here
- For any resource that can be created in AWS we have a unique ARN (Amazon Resource Name)
- Refer Here for the policy created
- Now create an IAM policy using this json
- For testing policies lets create an iam user with the policy created above attached
- Login into aws as this test user
- This user should be able to perform any operations on ec2 and s3
- When this user tries to access any other service the actions will be denied as the user doesnot have permissions
- To test iam policies we can use policy simulator Refer Here
- Navigate to Refer Here
- Scenario 2: Create an IAM policy to perform
- all the read actions on s3 bucket
- all the actions on rds
- Refer Here for the policy and play with policy simulator.
Like this:
Like Loading...