AWS Classroom Series – 15/Apr/2021

IAM Policy Grammar

  • Refer Here for the official documentation
  • Basic policy skeleton
{
    "Version" : "2012-10-17",
    "Statement": [
        {
            "Principal": ,
            "Effect": "Allow|Deny",
            "Action": []
        }
    ]
}
  • Lets look at some aws managed policy json
    • Administrator access: Since Action is * and Resource is * i.e. all actions on all resources with Effect Allow Preview
    • ec2readonly:
      • json:
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        }
    ]
}
      • In this case teh actions autoscaling:Describe*, ec2:Describe* and some more read actions are alloweda
  • In IAM policy if there is an action which is not specified is denied by default.
  • To write the policies effectively we need to know the actions available in AWS
  • Refer Here and navigate to topics
  • Scenario 1: Lets write an iam policy which gives a principal access on all aws ec2 resources and aws s3 resources
    • ec2 Refer Here. Refer Here for the ec2 actions
    • actions in this page will have a prefix of ec2: for eg: ec2:AttachNetworkInterface, ec2:AttachVolume
    • The resources which we create in ec2 are Refer Here
    • For any resource that can be created in AWS we have a unique ARN (Amazon Resource Name)
    • Refer Here for the policy created
    • Now create an IAM policy using this json Preview Preview Preview Preview
    • For testing policies lets create an iam user with the policy created above attached Preview Preview Preview
    • Login into aws as this test user
      • This user should be able to perform any operations on ec2 and s3
      • When this user tries to access any other service the actions will be denied as the user doesnot have permissions
    • To test iam policies we can use policy simulator Refer Here
    • Navigate to Refer Here Preview
  • Scenario 2: Create an IAM policy to perform
    • all the read actions on s3 bucket
    • all the actions on rds
    • Refer Here for the policy and play with policy simulator.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin