I have a problem with restricting the access to AWS Elastic Beanstalk to specific environments.
The goal is to create a policy that allows an IAM user to access the complete elastic beanstalk service (including creating new apps and environments), but completely deny access to the production environment in a specific app.
What I've tried is this (mainly copied from here), but it doesn't seem to work apparently - the user just with this policy attached gets access to all of AWS like the root user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DeleteApplicationVersion"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:AbortEnvironmentUpdate",
"elasticbeanstalk:TerminateEnvironment",
"rds:*",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"autoscaling:*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"sns:*",
"elasticbeanstalk:RestartAppServer",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ApplyEnvironmentManagedAction",
"cloudwatch:*",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:List*",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:UpdateEnvironment",
"ec2:*",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:DescribeConfigurationSettings",
"sqs:*",
"dynamodb:CreateTable",
"dynamodb:DescribeTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role",
"arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role",
"arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:AddTags",
"elasticbeanstalk:ListPlatformVersions"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:AddTags",
"elasticbeanstalk:Describe*"
],
"Resource": [
"arn:aws:elasticbeanstalk:*::platform/*",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:application/*",
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
],
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
}
]
}
The page your're referring is for restricting specific EB with applications not for envs.
This doc says about condition keys for Elastic Beanstalk actions,
InApplication:
Specifies the application that contains the resource
that the action operates on.
FromEnvironment:
Specifies an environment as a dependency or a constraint on an input
parameter.
... you can see the explanations and examples more.
The bottom line is that changing "elasticbeanstalk:InApplication" to "elasticbeanstalk:FromEnvironment" would work.
Related
I want to create and IAM policy in which the IAM user will not be able to launch any instance other than t2.micro Ubuntu in us-east-1 region. I have added the ami in IAM policybut instead of allowing just the Ubuntu ami, AWS is allowing the IAM user to launch all instances. What might be the problem
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}
this should point you in the right direction
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"TheseActionsDontSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":"*"
},
{
"Sid":"TheseActionsSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
"Condition":{
"ForAnyValue:StringLike":{
"ec2:ImageType":"t2.micro"
}
}
}
]
}
I would recommend using Deny rules to disallow launching instances if the wrong instance type or the wrong ami is used. Note that I removed the Sid parameter as it is optional.
An explicit Deny rule will override any Allow rules. That makes it easier to disallow unwanted actions, instead of trying to carve out the allowed action. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
Try the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ec2:ImageType": "t2.micro"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}
I am trying to use this policy to restrict users from launching any instances into the specified VPC. However, I am still able to launch instances! Why is this policy not working? Obviously, the resource Resource": "arn:aws:ec2:::vpc//vpc-xyz has actual values in my production template
"Statement": [
{
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:vpc/<VPC-ID>/vpc-xyz",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForVPC"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": [
"Cloud Services",
"MDH",
"Shine"
]
}
},
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*",
"Effect": "Deny",
"Sid": "DenyInstanceActionsForCStaggedResources"
}
]
}
The first item. You have no ALLOW in your policy. Therefore you should not be able to do anything. Solve this problem first.
Next modify your first statement to look like this:
{
"Sid": "DenyInstanceActionsForVPC",
"Effect": "Deny",
"Action": [
"ec2:Run*",
"ec2:Terminate*",
"ec2:Cancel*",
"ec2:Create*",
"ec2:Delete*",
"ec2:Modify*",
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "arn:aws:ec2:REGION:ACCOUNTNUMBER:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTNUMBER:vpc/VPC-ID"
}
}
},
I've never used AWS S3 before. We use it to automatically backup call recordings for clients. One of our clients for audit purposes needs access to their recordings.
I am using the client CyberDuck as a way to access the files.
I want to give them access to only their files.
Our file structure is as follows:
recordings/12345/COMPANYNAMEHERE/
I just learned that you build and do things based on scripts and policies. So I did some research and tried to build one but I get an access denied on listing.
Just curious if I am going about this correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE",
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE/*"
]
}
]
}
You have only given them permission to ListAllMyBuckets, which means they can only list the names of your buckets, and can't do anything else.
If you have already created an IAM User for them, then giving them this policy would allow them to list and retrieve their files, but only from the given directory (or, more accurately, with the given prefix):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/123/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/123/*"
]
}
]
}
If you do this a lot with customers, then you can use IAM Policy Variables to create a rule that substitutes their username:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/${aws:username}/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
]
}
]
}
I am trying to grant to an IAM password user full access to an Elastic Beanstalk application (create/modify/delete environments). Following the AWS doc here results in the user being able to see the Application but being unable to view Environments or create new ones (message: Access Denied, without further specification).
Here is the current policy that is attached:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Has anyone done this yet?
This is what I use. I couldn't be asked to go further in separating it. You can use tags for as well.
What I have done more is to run more and more things in separate accounts. If there are separate apps there are little or no reason to have them in the same account anyway. You can have cross account access for users. https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}
I want to update and deploy a new version on Elastic Beanstalk from my continuous deployment system (Codeship) but also want to lock down the rights that the deployment user has.
What is the minimum set if rights needed?
This IAM policy provides all necessary permissions to perform the "Upload and Deploy" function:
for a new Application Version
in a specified Elastic Beanstalk Environment.
Replace the following:
Replace $REGION with the specific region, for example: us-east-1
Replace $ACCOUNT with the account number (without dashes), for example: 123456789012
Replace $APPLICATION with the specific application, for example: My Beanstalk Application
Replace $ENVIRONMENT with the specific environment, for example: My Beanstalk Environment
Node: if you push logs to CloudWatch you will need additional policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAutoscalingSuspendAndResumeProcesses",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "AllowElasticBeanstalkValidateConfigurationSettings",
"Action": [
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowS3PutAndDeleteObjectInProperBucket",
"Action": [
"s3:Put*",
"s3:Delete*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-$REGION-$ACCOUNT/*"
]
},
{
"Sid": "AllowElasticBeanstalkCreateStorageLocation",
"Action": [
"elasticbeanstalk:CreateStorageLocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowElasticBeanstalkCreateApplicationVersion",
"Action": [
"elasticbeanstalk:CreateApplicationVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkUpdateEnvironment",
"Action": [
"elasticbeanstalk:UpdateEnvironment"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
},
"StringLike": {
"elasticbeanstalk:FromApplicationVersion": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
}
]
}