Deny GetObject for all S3 bucket - amazon-web-services

I want to create an IAM role with a read-only policy (arn:aws:iam::aws:policy/ReadOnlyAccess).
In order to prevent access to all objects on all buckets, I added a Deny section in Cloudformation template:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
I get a "MalformedPolicyDocument" error in the Deny section (Resource).
I already tested these options :
Resource: "*"
Resource: "arn:aws:s3:::/*"
Resource: "arn:aws:s3:::prefix-bucket*"
Do you have any idea about this syntax error ?
EDIT :
Error from Cloudformation :
Blockquote Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ......; Proxy: null)
enter code here


You seem to be missing the Policies section.
Try something like this:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess

Related

how to add a user defined condition to a PolicyDocument Statment in AWS Cloudformation

In AWS Cloudformation, I have a user defined condition, and a bucket policy being deployed:
Conditions:
NotProd:
!Not [!Equals [!Ref Environment, production]]
...
BucketPolicy:
Type: AWS::S3::BucketPolicy
Condition: NotProd
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Action:
- s3:getObject
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
- Action:
- s3:getBucketLocation
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
The above configuration has no problems, but when I try to add the condition such that the s3:getBucketLocation permission is only added if we're not in production, as follows:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Action:
- s3:getObject
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
- Action:
- s3:getBucketLocation
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
Condition: NotProd
, then I get an error saying Condition NotProd not used. Is there any way I can somehow achieve my desired result of only adding s3:getBucketLocation when not in production without doing something like creating a separate bucket policy without the s3:getBucketLocation permission?

You have to use If:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
- Action:
- s3:getObject
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
- !If
- NotProd
- Action:
- s3:getBucketLocation
Effect: Allow
Principal:
AWS: '*'
Resource: '*'
- !Ref "AWS::NoValue"

Cannot attach a Service Role Policy to a Customer Role. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: PolicyNotAttachable

I am trying to create role with AWS managed permission with role using cloudformation but I am getting an error:
Cannot attach a Service Role Policy to a Customer Role. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: PolicyNotAttachable. Any help would be appreciated
code snippet:
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AutoScalingServiceRolePolicy'
ECSRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2008-10-17
Statement:
- Sid: ''
Effect: Allow
Principal:
Service: ecs.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonEC2ContainerServiceRole'
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy'

It seems you provided wrong ARN for manafed policy. I looked up for those in aws console and i got:
arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
Instead of your:
arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy
Just go to IAM policy panel in AWS Console and find them one by one, the arn is provided for each.

Error creating IAM Role - Value of property PolicyDocument must be an object

I am creating an IAM role in order to send logs from a stack to kinesis stream in another stack.
When I add permission policy, it fails with the error :
"Value of property PolicyDocument must be an object".
This is my cloudformation.template.yml :
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
- Version: '2017-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'

Your current PolicyDocument is a list of objects due to - in front of Version. Also your Version is wrong. So it should be:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'

How to create a yml while to create create a new IAM::ROLE in AWS lambda

In AWS cloud formation template how to create a new lambda(test_lambda_role) role
which is having access to s3:getObject, RDS access(rds-db:connect),
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub test_lambda_role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Lambda:
- !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/${pSamlProviderAdmin}"
Action:
- rds-db:connect
Lambda function not creating with above template

AssumeRolePolicyDocument is for a trust policy, as explained in:
Creating a role to delegate permissions to an AWS service
Thus a template with only a lambda execution role could be:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
testlambdarole:
Type: String
Default: role-name
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref testlambdarole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['lambda.amazonaws.com']}
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambdaExecute
Policies:
- PolicyName: S3Access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- s3:getObject
Resource: "*"
- PolicyName: RdsAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- rds-db:connect
Resource: "*"
You would need to adjust Policies to exactly what you require.

IAM Role via CloudFormation Error in Principle

I am trying to create an IAM role via cloudformation for an existing IAM user as principle and an existing dynamodb table. I have verified through yamllint and yaml is well-formatted and yet cloudformation is complaining about malformatted file.
Following is my cloudformation template:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
- Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
and following is error I receive,when I try to create this template:
Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 237dd218-a2a2-4194-9063-104f8022cb80)
Thanks for any advice.

There is not-needed - in your Action:
- Action:
Therefore, your template should be (removed -):
AWSTemplateFormatVersion: 2010-09-09
Parameters:
vTableName:
Type: String
Description: the tablename
Default: arn:aws:dynamodb:ap-southeast-2:1234567:table/test-table
vUserName:
Type: String
Description: New account username
Default: mytestuser
Resources:
DynamoRoleForTest:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${vUserName}'
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: DynamoPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- dynamodb:BatchGet*
- dynamodb:DescribeStream
- dynamodb:DescribeTable
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
Resource: !Ref vTableName
Principle is fine, assuming it exists.