AWS IAM Roles
- Role is a permission for an AWS Service to access other AWS Services
- As shown in the above example, lets try to implement the usecase
- Now lets create a policy for s3 full access and rds readonly access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:Describe*",
"rds:ListTagsForResource",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"devops-guru:GetResourceCollection"
],
"Resource": "*"
},
{
"Action": [
"devops-guru:SearchInsights",
"devops-guru:ListAnomaliesForInsight"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"devops-guru:ServiceNames": [
"RDS"
]
},
"Null": {
"devops-guru:ServiceNames": "false"
}
}
}
]
}
- Create a new role called as
experimental
Activity 1
- Create an Amazon linux 2 based ec2 instance
- Create a role
experimental for ec2 and give Admin access as policy
- Now create a policy which will give full acess to iam and attach it to role
experimental (ensure admin is deleted)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*"
}
]
}
- To check the policies we have aws policy simulator Refer Here
- To create policies we can use policy generator Refer Here
Exercises
- Create a role for
- Lambda with full access on ec2 and readonly access on s3 and rds
- Lambda with cloudwatch, cloudtrail full access and iam full access
