AWS IAM Policies contd
Scenario -1
- You are asked to create a policy which will allow the user to do any thing in s3 bucket but not delete them
- Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "s3:Delete*",
"Resource": "*"
}
]
}
- As we have tested this works fine
Scenario – 2
- You are asked to create a policy which will allow the user to only view the s3 bucket but full permissions are supposed to be given on one bucket
- Create an s3 bucket
qt.learning.khaja
- The policy should allow full permissions only on the above bucket
- In AWS Every resource created can be identified by unique Resource Name called as ARN (Amazon Resource Name)
- ARN docs Refer Here
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action" : "*",
"Resource": [
"arn:aws:s3:::qt.learning.khaja",
"arn:aws:s3:::qt.learning.khaja/*"
]
}
]
}
- Exercise: Create a policy to read ec2 instances but permission to start and stop any one particular ec2
Like this:
Like Loading...
