AWS IAM Contd…
Policy 6:
- Write an IAM policy to stop ec2 instance with specific instance id and upload an object (putobject) into any s3 bucket for the specific user.
-
This user should have readonly access on s3 & ec2.
-
We are able to stop the ec2 instance but object is still not uploaded with the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694"
},
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:"],
"Resource": "arn:aws:s3:::qt26june"
}
]
}
Policy 7
-
Refer Here for global conditional access keys
-
Write an IAM Policy which allows user to delete s3 buckets and create s3 buckets and do any operations on s3 as long as region is us-west-2 and readonly in other regions
- Refer Here for the condition operators
- Refer Here for the changes
Policy 8
- Write an IAM Policy which allows users to create, delete,update any ec2 instances as long as instance type is t2.micro, t3.micro,t3.small and readonly for all the other ec2 instance types.
- Refer Here for the changes
Policy 9
- Write an IAM Policy which allows user/group/role to perform any actions on Glue as long as region is mumbai
- Refer Here for the changes
Testing IAM policies with simulator
Like this:
Like Loading...
