AWS Classroomnotes 09/Apr/2022

Activity 3: Lets change the IAM Policy for full access on s3

  • I want to change the policy in such a way that user attached to this policy should not be able to
    • delete s3 buckets
    • terminate ec2 instances.
  • The policy which we have so far is 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  [
                "s3:*" 
            ],     
            "Resource": "*"
        },
        {
            "Effect": "Allow", 
            "Action":  [
                "ec2:*" ,
                "autoscaling:*",
                "imagebuilder:*",
                "ec2-instance-connect:*"

            ],     
            "Resource": "*"
        }
    ]
}
  • Now after adding deny statements the policy is as shown below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  [
                "s3:*" 
            ],     
            "Resource": "*"
        },
        {
            "Effect": "Allow", 
            "Action":  [
                "ec2:*" ,
                "autoscaling:*",
                "imagebuilder:*",
                "ec2-instance-connect:*"

            ],     
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        }
    ]
}
  • Verify if the policy works by login to aws as a user with the above policy attached
    Preview
    Preview

Activity 4

  • Lets create a new policy where the user has a permission
    • to perform all actions on a particular resource (In my case i would be considering s3 bucket qtdevops08042022)
    • readonly access to other s3 buckets
  • Till now we were focussing on services, now we are drilling down into resources.
  • Every resource in AWS has a unique ARN (Amazon Resource Name)
  • When we are dealing with specific resources we need to fill in the ARN Syntax Refer Here
  • The policy which we created looks as shown below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": [
                "arn:aws:s3:::qtdevops08042022", 
                "arn:aws:s3:::qtdevops08042022/*"
            ]
        }

    ]
}
  • Now apply this policy to a user and check
  • Try uploading a file to other bucket
    Preview
    Preview

Activity 5:

  • Create an ec2 instance in any region (region of your choice). To create ec2 Refer Here
  • Create an IAM Policy which allows a user to have read only access on ec2
  • He/she should have permissions to start or stop the ec2 instance created above.
  • The policy is as shown below
  • Now try to start/stop other ec2 instance
    Preview
  • Now try to start the ec2 instance attached as resource in policy
    Preview
  • Now try to terminate ec2 instance attached as resource in policy
    Preview
  • Now stop the ec2 instance attached as resource in policy

Exercise: Try to write a policy which will allow user to do anything on ec2 if the region is mumbai and read permissions on other regions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner