MultiCloud Classroom notes 06/Oct/2024

Json

  • This is a file format used to represent data
  • data will be in the form on name value pairs
  • data can be in the following forms
    • simple/scalar
      • text: "cloud": "aws"
      • number: "age": "18"
      • boolean: "freetier": true
    • complex
      • array/list: "popularfor": ["ec2", "s3" ]
      • map/dictionary:
        json
        "services": {
        "databases": ["rds", "dynamodb"],
        "compute": ["ec2", "lambda"]
        }

Activity 1: Lets create an IAM Policy to deny all

  • policy
{
    "Version": "2012-10-17",
    "Id" : "denyall",
    "Statement" : [
        {
            "Sid" : "Denystmt1",
            "Effect": "Deny",
            "Resource": "*",
            "Action": "*"
        }
    ]

}

Activity 2: Create an IAM Policy to read any ec2 but full access on security groups.

  • ARN for multi-regions and resources of same type arn:aws:ec2:*:*:security-group/*
  • Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [ 
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        }
    ]
}

Activity 3:

  • Create an IAM policy for the user to have
    • ec2 full access if region is mumbai
    • ec2 readonly for other regions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudwatch:*",
                "autoscaling:*",
                "elasticloadbalancing:*"
            ],
            "Resource": "*",
            "Condition": { "StringEquals" : { "aws:RequestedRegion" : "ap-south-1" }}
        }
    ]
}
  • Every principal when sending a request has some keys Refer Here
  • Conditional keys exists at service level just like actions and resources

Exercise:

  • Give ec2 full access on all the resources with tag Environment and value Dev
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%