IAM Policies Contd….
- AWS Supports four types of policies
- Identity Based Policies: To grant permission to any identity which can be users, roles or groups
- Resource-based policies: This policy is mostly used with resources like S3 Bucket policy, KMS key policy
- Permission boundaries: They don’t grant any permissions but they define maximum permission any identity policy can grant to a resource
- Organization SCP: The Service control policy is used bt an account member of organization & defines the maximum number of permissions that can be made for account members of organization.
Amazon Resource Name (ARN)
- This is used to uniquely identify AWS resource
- The ARN will be generally in the following format
arn:partition:service:region:account-id:resource-id
- partition:
- This is group of AWS regions in which resource is located
- China: aws-cn
- Gov Clouds: aws-us-gov
- For the rest : aws
- service: This identifies the AWS service i.e. s3/ec2/iam/rds etc
- account-id: This is account id for aws account
-
resource-id: This can be name or ID of the resource
-
ARN Examples:
- S3 bucket in my account with name qt26june
- The template:
arn:partition:service:region:account-id:resource-id
- Fill the values:
arn:aws:s3:::qt26june
- ARN copied from Console
arn:aws:s3:::qt26june
- EC2 instance
- The template:
arn:partition:service:region:account-id:resource-id
- Fill in the values:
arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694
- Refer Here
Policy 5:
- Write an IAM Policy to grant start, stop ec2 instance with instance id
i-080e502e912b3b694 to an IAM user and read access on all ec2 instances
- Setup: Create any ec2 instance in any region
- After assigning the policy test with ec2 where user has access to start and ec2 where user doesnot have access to start
- Refer Here for the changeset containing the policy
Policy 6:
- Write an IAM policy to stop ec2 instance with specific instance id and upload an object (putobject) into any s3 bucket for the specific user.
-
This user should have readonly access on s3 & ec2.
-
We are able to stop the ec2 instance but object is still not uploaded with the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694"
},
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:"],
"Resource": "arn:aws:s3:::qt26june"
}
]
}
Like this:
Like Loading...
