AWS Classroomnotes 25/Aug/2022

IAM Policies Contd….

  • AWS Supports four types of policies
    • Identity Based Policies: To grant permission to any identity which can be users, roles or groups
    • Resource-based policies: This policy is mostly used with resources like S3 Bucket policy, KMS key policy
    • Permission boundaries: They don’t grant any permissions but they define maximum permission any identity policy can grant to a resource
    • Organization SCP: The Service control policy is used bt an account member of organization & defines the maximum number of permissions that can be made for account members of organization.

Amazon Resource Name (ARN)

  • This is used to uniquely identify AWS resource
  • The ARN will be generally in the following format
arn:partition:service:region:account-id:resource-id
  • partition:
    • This is group of AWS regions in which resource is located
      • China: aws-cn
      • Gov Clouds: aws-us-gov
      • For the rest : aws
  • service: This identifies the AWS service i.e. s3/ec2/iam/rds etc
  • account-id: This is account id for aws account
  • resource-id: This can be name or ID of the resource
  • ARN Examples:

    • S3 bucket in my account with name qt26june
      • The template: arn:partition:service:region:account-id:resource-id
      • Fill the values: arn:aws:s3:::qt26june
      • ARN copied from Console arn:aws:s3:::qt26june
    • EC2 instance
      • The template: arn:partition:service:region:account-id:resource-id
      • Fill in the values: arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694
      • Refer Here

Policy 5:

  • Write an IAM Policy to grant start, stop ec2 instance with instance id i-080e502e912b3b694 to an IAM user and read access on all ec2 instances
  • Setup: Create any ec2 instance in any region
  • After assigning the policy test with ec2 where user has access to start and ec2 where user doesnot have access to start
    Preview
  • Refer Here for the changeset containing the policy

Policy 6:

  • Write an IAM policy to stop ec2 instance with specific instance id and upload an object (putobject) into any s3 bucket for the specific user.
  • This user should have readonly access on s3 & ec2.
  • We are able to stop the ec2 instance but object is still not uploaded with the following policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["ec2:StartInstances", "ec2:StopInstances"],
            "Resource": "arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:"],
            "Resource": "arn:aws:s3:::qt26june"
        }
    ]
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner