IAM Policy
- IAM Policy is collection of statments assigned to IAM user or group or role which determines the authorization.
- Lets look at some IAM Policies in Json
- Administrator
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com"
]
}
}
}
]
}
Actvity 1: Lets create an IAM Policy to have full permissions on ec2,s3
{
"Version" : "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "s3:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
- Create a IAM Policy with the above mentioned json.
- Attach this policy to user or group
Activity 2:
- Create an IAM policy to view all the s3 buckets but not delete any buckets and view all the vpcs but not change any vpc or s3
- First version
{
"Version" : "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:ListAllMyBuckets"],
"Resource": "*"
}
]
}
- Exercise: Work to fix this
Activity3: Exercise
- Write an IAM Policy to do anything in s3 and read in EC2
