AWS IAM Contd…
Policy 6:
Write an IAM policy to stop ec2 instance with specific instance id and upload an object (putobject) into any s3 bucket for the specific user.
This user should have readonly access on s3 & ec2.
We are able to stop the ec2 instance but object is still not uploaded with the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Resource": "arn:aws:ec2:us-east-1:678879106782:instance/i-080e502e912b3b694"
},
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging", "s3:"],
"Resource": "arn:aws:s3:::qt26june"
}
]
}
Policy 7
Refer Here for global conditional access keys
Write an IAM Policy which allows user to delete s3 buckets and create s3 buckets and do any operations on s3 as long as region is us-west-2 and readonly in other regions
Refer Here for the condition operatorsRefer Here for the changes
Policy 8
Write an IAM Policy which allows users to create, delete,update any ec2 instances as long as instance type is t2.micro, t3.micro,t3.small and readonly for all the other ec2 instance types.
Refer Here for the changes
Policy 9
Write an IAM Policy which allows user/group/role to perform any actions on Glue as long as region is mumbai
Refer Here for the changes
Testing IAM policies with simulator
