AWS Classroomnotes 09/Apr/2022

Activity 3: Lets change the IAM Policy for full access on s3

  • I want to change the policy in such a way that user attached to this policy should not be able to
    • delete s3 buckets
    • terminate ec2 instances.
  • The policy which we have so far is 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  [
                "s3:*" 
            ],     
            "Resource": "*"
        },
        {
            "Effect": "Allow", 
            "Action":  [
                "ec2:*" ,
                "autoscaling:*",
                "imagebuilder:*",
                "ec2-instance-connect:*"

            ],     
            "Resource": "*"
        }
    ]
}
  • Now after adding deny statements the policy is as shown below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action":  [
                "s3:*" 
            ],     
            "Resource": "*"
        },
        {
            "Effect": "Allow", 
            "Action":  [
                "ec2:*" ,
                "autoscaling:*",
                "imagebuilder:*",
                "ec2-instance-connect:*"

            ],     
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        }
    ]
}
  • Verify if the policy works by login to aws as a user with the above policy attached

Activity 4

  • Lets create a new policy where the user has a permission
    • to perform all actions on a particular resource (In my case i would be considering s3 bucket qtdevops08042022)
    • readonly access to other s3 buckets
  • Till now we were focussing on services, now we are drilling down into resources.
  • Every resource in AWS has a unique ARN (Amazon Resource Name)
  • When we are dealing with specific resources we need to fill in the ARN Syntax Refer Here
  • The policy which we created looks as shown below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": [
                "arn:aws:s3:::qtdevops08042022", 
                "arn:aws:s3:::qtdevops08042022/*"
            ]
        }

    ]
}
  • Now apply this policy to a user and check
  • Try uploading a file to other bucket

Activity 5:

  • Create an ec2 instance in any region (region of your choice). To create ec2 Refer Here
  • Create an IAM Policy which allows a user to have read only access on ec2
  • He/she should have permissions to start or stop the ec2 instance created above.
  • The policy is as shown below
  • Now try to start/stop other ec2 instance
  • Now try to start the ec2 instance attached as resource in policy
  • Now try to terminate ec2 instance attached as resource in policy
  • Now stop the ec2 instance attached as resource in policy

Exercise: Try to write a policy which will allow user to do anything on ec2 if the region is mumbai and read permissions on other regions

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%