AWS Classroomnotes 26/Aug/2022

AWS IAM Contd…

Policy 6:

  • Write an IAM policy to stop ec2 instance with specific instance id and upload an object (putobject) into any s3 bucket for the specific user.
  • This user should have readonly access on s3 & ec2.
  • We are able to stop the ec2 instance but object is still not uploaded with the following policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["ec2:StartInstances", "ec2:StopInstances"],
            "Resource": "arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:"],
            "Resource": "arn:aws:s3:::qt26june"
        }
    ]
}

Policy 7

  • Refer Here for global conditional access keys
  • Write an IAM Policy which allows user to delete s3 buckets and create s3 buckets and do any operations on s3 as long as region is us-west-2 and readonly in other regions
  • Refer Here for the condition operators
  • Refer Here for the changes

Policy 8

  • Write an IAM Policy which allows users to create, delete,update any ec2 instances as long as instance type is t2.micro, t3.micro,t3.small and readonly for all the other ec2 instance types.
  • Refer Here for the changes
    Preview

Policy 9

  • Write an IAM Policy which allows user/group/role to perform any actions on Glue as long as region is mumbai
  • Refer Here for the changes

Testing IAM policies with simulator

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner