AWS IAM POLICY USE CASE

AWS IAM POLICY USE CASE

Use Case 1 . Provide permission to my subordinate so that he/she can use IAM console to create/manage new users but only with certain company policy. So new user can also abide with company polices

Suppose

  • Mark is admin of his Project AWS account
  • Mark want to delegate user creation duty to his subordinate Mr Bala
  • However, Mark must ensure that Bala creates users that adhere to the following company rules:

    A. Users cannot use IAM to create or manage users, groups, roles, or policies.
    B. Users are denied access to the i-065caaf36a17d5dc4 Amazon EC2 instance. this i-065caaf36a17d5dc4 is instance of EC2 VM running in AWS account .
    C. Users cannot remove their own boundary policies.
    D. Users are denied access to the Amazon S3 Krpo Confidential buckets (democonfidential and project-mark-logsbucket Name are )

    To enforce these rules, Mark completes the following tasks, for which details are included below:

    1. Mark creates the Mark_project_Boundaries managed policy to use as a permissions boundary for all new users in the account.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "ServiceBoundaries",
    "Effect": "Allow",
    "Action": [
    "s3:", "cloudwatch:",
    "ec2:" ], "Resource": ""
    },
    {
    "Sid": "AllowIAMConsoleForCredentials",
    "Effect": "Allow",
    "Action": [
    "iam:ListUsers",
    "iam:GetAccountPasswordPolicy"
    ],
    "Resource": "" }, { "Sid": "AllowManageOwnPasswordAndAccessKeys", "Effect": "Allow", "Action": [ "iam:AccessKey", "iam:ChangePassword", "iam:GetUser", "iam:ServiceSpecificCredential", "iam:SigningCertificate" ], "Resource": ["arn:aws:iam:::user/${aws:username}"]
    },
    {
    "Sid": "DenyS3Logs",
    "Effect": "Deny",
    "Action": "s3:", "Resource": [ "arn:aws:s3:::project-mark-logs", "arn:aws:s3:::project-mark-logs/",
    "arn:aws:s3:::democonfidential",
    "arn:aws:s3:::democonfidential/" ] }, { "Sid": "DenyEC2Production", "Effect": "Deny", "Action": "ec2:",
    "Resource": "arn:aws:ec2:::instance/i-065caaf36a17d5dc4"
    }
    ]
    }

    2. Mark creates the DelegatedUserBoundary managed policy and assigns it as the permissions boundary for Bala.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "CreateOrChangeOnlyWithBoundary",
    "Effect": "Allow",
    "Action": [
    "iam:CreateUser",
    "iam:DeleteUserPolicy",
    "iam:AttachUserPolicy",
    "iam:DetachUserPolicy",
    "iam:PutUserPermissionsBoundary"
    ],
    "Resource": "", "Condition": {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::517496952470:policy/Mark_project_Boundaries"}} }, { "Sid": "CloudWatchAndOtherIAMTasks", "Effect": "Allow", "Action": [ "cloudwatch:",
    "iam:GetUser",
    "iam:ListUsers",
    "iam:DeleteUser",
    "iam:UpdateUser",
    "iam:CreateAccessKey",
    "iam:CreateLoginProfile",
    "iam:GetAccountPasswordPolicy",
    "iam:GetLoginProfile",
    "iam:Group",
    "iam:CreatePolicy",
    "iam:DeletePolicy",
    "iam:DeletePolicyVersion",
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:GetUserPolicy",
    "iam:GetRolePolicy",
    "iam:ListPolicies",
    "iam:ListPolicyVersions",
    "iam:ListEntitiesForPolicy",
    "iam:ListUserPolicies",
    "iam:ListAttachedUserPolicies",
    "iam:ListRolePolicies",
    "iam:ListAttachedRolePolicies",
    "iam:PutUserPolicy",
    "iam:SetDefaultPolicyVersion",
    "iam:SimulatePrincipalPolicy",
    "iam:SimulateCustomPolicy"
    ],
    "Resource": "" }, { "Sid": "NoBoundaryPolicyEdit", "Effect": "Deny", "Action": [ "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": [ "arn:aws:iam::517496952470:policy/Mark_project_Boundaries", "arn:aws:iam::517496952470:policy/DelegatedUserBoundary" ] }, { "Sid": "NoBoundaryUserDelete", "Effect": "Deny", "Action": "iam:DeleteUserPermissionsBoundary", "Resource": ""
    }
    ]
    }

    3. Mark creates the DelegatedUserPermissions managed policy and attaches it as a permissions policy for Bala.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "IAM",
    "Effect": "Allow",
    "Action": "iam:", "Resource": ""
    },
    {
    "Sid": "CloudWatchLimited",
    "Effect": "Allow",
    "Action": [
    "cloudwatch:GetDashboard",
    "cloudwatch:GetMetricData",
    "cloudwatch:ListDashboards",
    "cloudwatch:GetMetricStatistics",
    "cloudwatch:ListMetrics"
    ],
    "Resource": "" }, { "Sid": "S3BucketContents", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::project-mark-logs", "arn:aws:s3:::project-mark-logs/*",
    "arn:aws:s3:::kprodemotest",
    "arn:aws:s3:::kprodemotest/*"
    ]
    }
    ]
    }

    4. Now Mark will inform Bala about his new responsibilities and limitations.

    So Now Bala can create a USER But USER creation can only be successful , if Mark_project_Boundaries policy is set as permission boundary for new users.

    If Bala missed to add permission boundary Mark_project_Boundaries as managed policy to new user , USER creation will be failed.

    Use Case 2 – Limit the user to use its own folder in home user S3 bucket

    1. I have created a bucket with name project-kpro and inside that i have created a folder home.
    2. Now i will create a user karthik through IAM and with same name i will create a folder inside S3 bucket ( project-green/home/karthik)
    3. step 2 can be repeated for another user RAM
    4. I will create policy user3bucket and attached to every new user ( like attached to user karthik and RAM in my case )
    5. Now RAM and Karthik have right to access their own folder ( in case of RAM its ‘project-green/home/RAM’ and in case of karthik its ‘project-green/home/karthik’ to upload/delete/ and files in these folders )

    ==> user3bucket Policy

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:GetBucketLocation"
    ],
    "Resource": "" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::project-kpro", "Condition": { "StringLike": { "s3:prefix": [ "", "home/", "home/${aws:username}/"
    ]
    }
    }
    },
    {
    "Effect": "Allow",
    "Action": "s3:", "Resource": [ "arn:aws:s3:::project-kpro/home/${aws:username}", "arn:aws:s3:::project-kpro/home/${aws:username}/"
    ]
    }
    ]
    }

    ” If user name is in capital letter , then folder name in home folder should also be created in capital letter “.

    Use Case 3

    Limit a users to launch EC2 instance with certain Instance type only (t1,t2,M*) etc

    1. I have my AWS account where there are EC2 instances running by his project head Mark
    2. Except Mark , other user for this AWS account can have only right to manage those EC2 instances
    3. USERS should not launch new instances because it will impact cost
    4. But USERS can able to launch t2.micro and t2.small instance type only , so USERS can do their small testing and cost will be also minimal

    So we will create a policy EC2_instance_type_access and assgin them to users . Change the ‘517496952470’ as per your account_ID

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "ec2:", "Resource": ""
    },
    {
    "Effect": "Deny",
    "Action":"ec2:RunInstances",
    "Resource":"arn:aws:ec2::517496952470:instance/*",
    "Condition": {
    "StringNotLikeIfExists":{
    "ec2:InstanceType":["t2.micro","t2.small"]
    }
    }
    }
    ]
    }

    Use Case 4 – Tag-based access control of ec2 instance created with TAG

    1. Suppose you launch instance with adding TAG “Project=DataWarehouse”
    2. Now you want to give access of this instance to users.
    3. So you can create a policy which it should mentioned to get access of all EC2 instance Tag with Project=DataWarehouse
    4. Now you can assign that policy to USERS and if any new EC2 instance will be launched with same TAG Project=DataWarehouse , user will automatically get access on that instance

    So to achieve same

    1. Create a policy Tagbased_EC2Instance_access which has access to all instance created with TAG Project=DataWarehouse
    2. first assign a managed policy –AmazonEC2ReadOnlyAccess to all users to whom you want to attached Tagbased_EC2Instance_access
    3. then assign this Tagbased_EC2Instance_access to all the users who want access of Data Warehouse EC2 instances
    4. then you can create a new EC2 instance with TAG “Project=DataWarehouse” and see IF that instance is coming in USER dashboard and IF USER are able to stop/Start those instances

    —> Tagbased_EC2Instance_access

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "StartStopIfTags",
    "Effect": "Allow",
    "Action": "ec2:", "Resource": "",
    "Condition": {
    "StringEquals": {
    "ec2:ResourceTag/Project": "DataWarehouse"
    }
    }
    }
    ]
    }

    Use Case 5 – Restrict users from a particular project to access or launch services in a specific region only

    This use case entirely depend on which services you want to give access to your users for that specific region.

    So I have taken a common example on which you can add your service name and its resource as condition. or if you want us for any help on your use case , you can comment in comment box

    Suppose I have project where all services has to run in EU London region only.

    I have to give access to Project manager / Project Admin in such a way that he/she should have access to all the services but they can launch any service in EU London region only

    I have created a admin_London_region managed Policy and assigned it to that USER. So user will act as Admin user but only for EU London region

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "", "Resource": "",
    "Condition": {"StringEquals": {"aws:RequestedRegion": "eu-west-2"}}
    }
    ]
    }

    One thought on “AWS IAM POLICY USE CASE

    Comments are closed.

    Comments are closed.