It is possible to allow pulling from but not pushing to the Docker API VPC Endpoint (com.amazonaws.<region>.ecr.dkr) in its attached policy?
I can't find a reference for any supported actions other than "*", is there a way to specify pull only? Or something via a condition?
Yes, you can achieve this with a VPC endpoint policy.
Here's an example from the documentation. This policy enables a specific IAM role to pull images from Amazon ECR:
{
"Statement": [{
"Sid": "AllowPull",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/role_name"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": "*"
}]
}
In AWS Console, add security groups that your instances (maybe all possible security groups) are using to the VPC endpoints.
Related
Iam creating a role and trying to attach an was managed policy for transit gateway full access.
But I am not able to find any policy with transit gateway.
There is no such AWS managed policy. So you can create your own customer managed policy. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullTransitGatewayPermissions",
"Effect": "Allow",
"Action": [
"ec2:*TransitGateway*"
],
"Resource": "*"
}
]
}
Depending on exactly what you need, you can add more permissions or be more selective.
When deploying a lambda function to a VPC you're required to grant a bunch of network interface related permissions to lambda's execution role. AWS manuals advice to use AWSLambdaVPCAccessExecutionRole managed policy for this, which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Resource": "*"
}
]
}
As one can see, this policy doesn't restrict network interfaces that the lambda can modify, thus potentially allowing it to mess with networking outside its own VPC. I'd like to limit the actions that the lambda can do to the VPC or subnets that it's actually deployed into. However, so far I failed to come with a working policy for that.
I tried to check the VPC in the policy like this:
"Condition": {"StringEquals": {"ec2:Vpc": "${my_vpc_arn}" }}
but still got permission denied.
CloudTrail event contains the following authorization message) decoded with aws sts decode-authorization-message): https://pastebin.com/P9t3QWEY where I can't see any useful keys to check.
So is it possible to restrict a VPC-deployed lambda to only modify particular network interfaces?
You can't restrict the policy to individual NIs, as you don't know their ids until after you create them. But you should be able to restrict access to a specific VPC using the following lambda execution policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessToSpecificVPC",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*",
"Condition": {
"ArnLikeIfExists": {
"ec2:Vpc": "arn:aws:ec2:<your-region>:<your-account-id>:vpc/<vpc-id>"
}
}
},
{
"Sid": "CWLogsPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
The Lambda Service needs to be able to create and remove network interfaces in your VPC. That's because a shared ENI will be deployed in the VPC. Once all execution contexts are terminated this shared ENI will be removed again. This also explains why the describe permissions are needed, because the service probably needs to figure out if a shared ENI is already deployed for the specific lambda function.
Unfortunately that means you can't restrict the delete/modify operations to any particular ENIs as those are created and removed dynamically.
According to the documentation the specific permissions the Role needs are:
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
I checked the documentation and the Create + Delete actions allow (among others) the following conditions:
ec2:Subnet
ec2:Vpc
This means it should be possible. Maybe separating the ec2:* permissions into their own statement with the aforementioned conditions could help you.
We have a Lambda function on aws which is exposed via api gateway.
On that api, we have a resource policy to restrict traffic so only ip addresses in our firm can access the endpoint.
For this, we use the standard ip range blacklist template as provided by AWS on the api gateway resource policy page and modify it to use NotIpAddress instead of IpAddress- for example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/stage/*/getInfo",
"Condition" : {
"NotIpAddress": {
"aws:SourceIp": [ "192.188.1.1", "192.168.1.2" ]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "execute-api:/stage/*/getInfo"
}
]
}
We now have a requirement to develop another lambda which makes a http call to this API Gateway to gather some information before performing more logic. We want to use this existing lambda as it performs some complex logic.
However, when we try to do a http get in the new lambda to the API Gateway of the existing lambda to get the required information, it is denied as per the deny rule in the resource policy
Is it possible to have an IPAddress restriction and allow invocations from all lambdas in our AWS account?
If the Lambda is based within your VPC in a private subnet its IP address(es) can be bound to the NAT Gateway/NAT instance.
I have an S3 bucket that acts as a static website and I am using API Gateway to distribute traffic to it. I understand CloudFront is a better option here, but please do not suggest it. It is not an option, due to reasons I won't go into.
I am accomplishing my solution by configuring a {proxy+} resource. Image below:
I would like to only allow access to the S3 website from the API Gateway proxy resource. Is there a way I can provide an execution role to the proxy resource, similarly to how you can provide an execution role to a resource to runs a lambda function? Lambda execution role example below:
The integration request portion of the proxy resource doesn't seem to have an execution role:
Or is there a way I can assign a role to the entire API Gateway to provide it the right to access the S3 bucket?
Other things I have tried:
Editing the bucket policy to only allow traffic from the API gateway service:
{
"Version": "2012-10-17",
"Id": "apiGatewayOnly",
"Statement": [
{
"Sid": "apiGW",
"Effect": "Allow",
"Principal": {
"Service": ["api-gateway-amazonaws.com"]
},
"Action": "s3:GetObject",
"Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/*"
}
]
}
Editing the bucket policy to only allow traffic from API Gateway's URL:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "",
"Action": "s3:GetObject",
"Resource": "http://test-proxy-bucket-01.s3-website.us-east-2.amazonaws.com/",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://xxxxxxx.execute-api.us-east-2.amazonaws.com/prod/",
"http://xxxxxxxx.execute-api.us-east-2.amazonaws.com/prod"
]
}
}
}
]
}
Create a private S3 bucket
Create an IAM role that can access the bucket. Set the trusted entity/principal who can assume this role to apigateway.amazonaws.com
Use AWS service integration type and select s3. Set the execution role to the role created in 2
Refer to docs for more details.
I am working on Amazon web services. Designing the custom IAM policies.
I have a user which have restricted access on the instances like he can start,stop the instances. Similarly i want to restrict the user to attach,delete specific volumes.
I have created this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:DescribeInstances","ec2:DescribeInstanceStatus","ec2:DescribeVolumeAttribute","ec2:DescribeVolumeStatus","ec2:DescribeVolumes"], ,
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID"
}
]
}
when I apply this policy it does not show me any volumes.
I get an error:
error fetching the volume details.
Any lead is appreciated
Thanks
Update
The best way to test/debug IAM policies is by means of the fantastic IAM Policy Simulator (see Using the IAM Policy Simulator for the actual link and instructions). With its help, the solution below can easily be verified to be working correctly.
I recommend to add a dedicated test user to your account with no policies attached (i.e. implicit Deny All) and then using the Mode: New Policy to assemble and simulate the policy in question, e.g. for the use case at hand:
use two volumes and allow one via the policy, then simulate the policy with both resources, one will yield denied and the other allowed for AttachVolume and DetachVolume
Once satisfied, you can apply the assembled policy to the entities in your account and recheck via Mode: Existing Policies.
Initial Answer
I wonder how you have been able to apply this IAM policy, insofar it is syntactically invalid JSON (the Action field within the first Statement lacks any value)?
The syntax error aside, that's also the source of your problem:
As indicated by TheseActionsDontSupportResourceLevelPermissions, a few EC2 API actions do not support the comparatively new Resource-Level Permissions for EC2 and RDS Resources yet, see this note from Amazon Resource Names for Amazon EC2:
Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional
Amazon EC2 resources later. For information about which ARNs you can
use with which Amazon EC2 API actions, as well as supported condition
keys for each ARN, see Supported Resources and Conditions for Amazon
EC2 API Actions.
You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing. This also includes the ec2:DescribeVolume* actions, which is why you receive the error.
Fixing the first statement as outlined below should remedy the issue:
{
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Action": [
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:<region>:<account number>:volume/<volume id>"
}
]
}