Finding ARNs and Actions
- Refer Here for pattern
- Refer Here for Actions, resources and conditions
- Find ARN for EC2 instance in nvirginia region with instance id
i-0c0d4238fe7ae9232 in aws account with id 123456789012
arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
arn:aws:ec2:us-east-1:123456789012:instance/i-0c0d4238fe7ae9232
- Find ARN for Security Group with id
sg-123456778
arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}
arn:aws:ec2:us-east-1:123456789012:security-group/sg-123456778
- Find ARN for AWS RDS instance in mumbai region in aws account with id
123456789012 and rds instance id rds-0c0d4238fe7ae9232
arn:${Partition}:rds:${Region}:${Account}:db:${DbInstanceName}
arn:aws:rds:ap-south-1:123456789012:db:rds-0c0d4238fe7ae9232
Some more examples
- Account id 123456789012
- region: mumbai
ap-south-1
- Find ARN for
- elastic ip (EC2) with id
eip-12345 arn:aws:ec2:ap-south-1:123456789012:elastic-ip/eip-12345
- eks cluster with id
eks-12345 arn:aws:eks:mumbai:123456789012:cluster/eks-12345
- Volume with id
ebs-12345 arn:aws:ec2:ap-south-1:123456789012:volume/ebs-12345
Actions
-
Find an action to
- stop ec2
ec2:StopInstances
- terminate ec2
ec2:TerminateInstances
- Delete elastic ip
ec2:DisassociateAddress
- Delete rds Database instance
rds:DeleteDBInstance
-
Lets create permission for a user who should have All permissions in ec2 apart from terminating instances
- Statement-1:
- resource:
*
- Actions:
ec2:*
- Effect:
Allow
- Statement-2:
- resource:
*
- Action:
ec2:TerminateInstances
- Effect:
Deny
-
Lets create a policy for the user to do any thing in AWS but not anything in s3
- Statement-1:
- resource:
*
- Action:
*
- Effect:
Allow
- Statement-2:
- resource:
*
- Action:
s3:*
- Effect:
Deny
-
Lets create a policy to allow anything in region mumbai but not any other region
- Statement:
- resource:
*
- Action:
*
- Effect:
Allow
- Condition:
aws:region == ap-south-1
Like this:
Like Loading...
