Introduction :
Goal :
- To understand principle of least privilege.
- Understand IAM Policies and demonstrate how to create Customer Managed Policies for specific use cases.
Pre-requisites :
- AWS IAM account (do not use root account) having:
- admin privileges
- access to AWS Management Console
- Another AWS IAM account without any permissions assigned
- Understanding of AWS Identity based policies
In case you are not familiar with IAM Policies or need a quick refresher, please refer my blog
Cost :
- None (if you have an AWS free-tier eligible account)
Implementing IAM Policies
- Login to your AWS Management Console and navigate to
IAM. This will take you to the IAM dashboard.
Click on
Policies
Click
Create Policy
Create the desired policy and attach it to an IAM user or IAM group.
AWS Management Console allows policy creation in two ways:
i. Using a visual editor
ii. Typing the policy directly in JSON format
In this blog we will be demonstrating both the mechanisms.
Scenario 1 : Restrict read-only access to a single service
Say, we want to grant read-only access to some S3 resources.
User (or group of users) should only be able to list all buckets but read the objects only for test S3 buckets.
Let's create an IAM Policy for this, using the visual editor.
1.1. Select S3 from the dropdown
1.2 From List select Listbucket
1.3 Similarly, from the Read options select GetObject and GetBucketLocations
-
GetBucketLocationsis required to list the buckets. -
GetObjectenables us to read the objects in a bucket
1.3 Next, we need to specify the resource (in this case S3 Bucket) the GetObject action applies to. We have the option to either enable the action for all S3 buckets available in our account, or limit to a bucket (or list of buckets)
Note: It is an AWS best practice to follow the Principle of least privilege, meaning grant access only where its needed.
In our demo we will be restricting object read access for all buckets whose name start with test
Scroll back up and from the List dropdown, select ListAllMyBuckets
1.4 Click Next
1.5 At the next screen, provide the policy a meaningful name and description.
1.6 Review the policy details and click Create Policy
Well done! you have created your first customer managed policy
This Policy can now be attached to any IAM user or IAM group.
1.7 Let's test if our newly created policy does what it is supposed to do, by attaching it to a test IAM user.
1.8 Login to the AWS Management console as your test user and navigate to S3.
Hooray! We are able to see some buckets!
Let's see if we are able to view the objects in our test bucket.
Yaay! looking good so far!
Now let's check if we are able to list objects in some other bucket.
Do you think we will be able to do so?
think for a second, then scroll down to check if you guessed it correctly.
We are not able to list the objects only in the "test" buckets. Attempting to do so on any other bucket will result in an error.
Scenario 2 : Restrict access to a particular AWS region
In this scenario we will be restricting the user's access to one specific AWS region eu-central-1
2.1 As done in secnario-1, navigate to IAM dashboard and create a new policy. This time select JSON instead of visual editor.
2.2 Paste the below policy into the policy editor (delete all the pre-filled content)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "eu-central-1"
}
}
}
]
}
2.3 Give the policy and name and create the policy.
2.4 Attach the policy to an IAM user (or group) and test it.
Note: make sure that the test IAM user does not have any other permissions or policies attached to it.
If the policy was created correctly, any operation in a region other than eu-central-1 should result in an error.
Scenario 3 : Restrict access to a specific service in a particular AWS region
In scenario-3, we will be implementing a stricter version of scenario-2. Here, we restrict the access to 3 services within eu-central-1. User won't be able to access any other service or resource except these.
Let's begin!
3.1 You know the drill! Navigate to Policies, under the IAM dashboard and start creating the policy in json format.
3.2 Paste the below policy into the editor.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"s3:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "eu-central-1"}}
}
]
}
3.3 Give a name and save the policy.
3.4 Attach the policy to an IAM user or group and test the access.
3.4.1 Navigate to the EC2 dashboard in eu-central-1 region and try launching a new instance.
Now attempt the same in any other AWS region. The launch wizard will not let you select the fields required to create an instance. Thus proving that our IAM policy works!
3.4.2 Change your region to any region other than eu-central-1
Now navigate to S3 and try viewing the buckets.
Repeat the same in eu-central-1 region. You should be able to view the buckets this time!
3.4.3 Navigate to any service other than S3 and EC2, say RDS.
You will receive an error, since we restricted the access only to S3 and EC2.
Conclusion :
We have covered three scenarios in this blog. This is just tip of the iceberg! IAM Policies play an crucial role in any well architected and implemented cloud solution.
Let your imagination run wild and explore the power of IAM policies in your own account!!
Don't forget to clean up any resources that you may have spun up to test the policies! The IAM policy in itself is not chargeable, so you need not delete them.
I hope this blog has been helpful in igniting your interest in Cloud IAM! Do leave your feedback in the comment section.
Happy Learning!
Top comments (1)
Nicely Explained Article