AWS: IAM Policy to Add User To specific Group - amazon-web-services

I'm trying to set up a policy for a Group ("TheGroup") that when attached to a User would allow that user to Create new Users AND assign them to another specific group ("TheSubGroup").
I believe I have the CreateUser part mostly done but I'm not sure of syntax for how to also allow this user to AddUserToGroup("TheSubGroup") in the second part of the policy below.
Any thoughts?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageUsersPermissions",
"Effect": "Allow",
"Action": [
"iam:ChangePasword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:DeleteUser",
"iam:UpdateAccessKey",
"iam:ListAttachedUserPolicies",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::1234567890:group/TheSubGroup"
]
}
}
}
]
}


The AddUserToGroup action applies to group resources. Try targeting the group resource:
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "arn:aws:iam::1234567890:group/TheSubGroup"
}

Related

Limit the type of EC2 instance in IAM policy

I want to create and IAM policy in which the IAM user will not be able to launch any instance other than t2.micro Ubuntu in us-east-1 region. I have added the ami in IAM policybut instead of allowing just the Ubuntu ami, AWS is allowing the IAM user to launch all instances. What might be the problem
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}

this should point you in the right direction
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"TheseActionsDontSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":"*"
},
{
"Sid":"TheseActionsSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
"Condition":{
"ForAnyValue:StringLike":{
"ec2:ImageType":"t2.micro"
}
}
}
]
}

I would recommend using Deny rules to disallow launching instances if the wrong instance type or the wrong ami is used. Note that I removed the Sid parameter as it is optional.
An explicit Deny rule will override any Allow rules. That makes it easier to disallow unwanted actions, instead of trying to carve out the allowed action. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
Try the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ec2:ImageType": "t2.micro"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}

Explicit deny for user to runinstances in AWS when not using specific tag KeyValue

I have created a policy which allows users to do all ec2 actions but restricts user to runinstances and createvolumes and terminate instances only when they pass the given tag key-values pairs with a explicit deny.
ec2 full permissions policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
}
]
}
ec2 run instance and create volumes explicit deny with conditions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:RequestTag/Name": "${aws:username}"
},
"StringNotEquals": {
"ec2:CreateAction": "RunInstances",
"aws:TagKeys": "Name"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": [
"ec2:DeleteVolume",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"ForAllValues:StringNotEquals": {
"ec2:ResourceTag/Name": "${aws:username}"
}
}
}
]
}
My requirement is to restrict user to give all ec2 permissions and restrict to runinstances only when pass tag key "Name" and tag value as "their aws user name".
but when this policy is applied to a user, it is restricting them to run only when they pass tagkey "Name", but its not restricting with tagvalue "their aws user name ${aws:username}".
but the same restriction is working properly when the user is trying to terminate instances i.e user is unable to terminate instances with tagkey "Name" and tag value "their aws user name ${aws:username}"
what could be the error in policy, that is allowing user to runinstances with tagkey "Name" and any value for tagValue, even null is also allowing

You can use the below IAM Policy and edit as per your liking. I use this in production and works flawlessly. It will only launch instances if they are tagged with values present in the list.:
Here, Key = Environment, Value = mentioned below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:ACCOUNT_ID:volume/*",
"arn:aws:ec2:*:ACCOUNT_ID:subnet/*",
"arn:aws:ec2:*:ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:*:ACCOUNT_ID:security-group/*",
"arn:aws:ec2:*:ACCOUNT_ID:key-pair/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:ACCOUNT_ID:instance/*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/Environment": [
"Testing",
"Staging",
"Production",
"Nightly",
"Sandbox",
"LoadTesting"
]
}
}
}
]
}

It is not working because the following block is implementing a logical OR. So, the instance will be launched if any of the condition is met. You have to create a logical AND by separating the condition keys in two different blocks as mentioned here.
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "Name",
"aws:RequestTag/Name": "${aws:username}"
}
}

I am trying to set-up MFA for an AWS user in the organization

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1506369084151",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::account_#:user/user_name"
}
]
}
I have this above policy which should enable users to set-up MFA by themselves.
However, when I test this policy (by logging in as one of the users, I am not able to perform the desired action)
What am I missing in the policy snippet?
PS: The policy is attached to the user I try to log-in as. So this silly mistake is ruled out.

This works for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEnableResyncDeleteListMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
]
},
{
"Sid": "AllowDeactivateMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::AWS_ACCOUNT_ID:mfa/${aws:username}",
"arn:aws:iam::AWS_ACCOUNT_ID:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
}
]
}

Allow power users on AWS to manage their passwords and keys

I created users with poweruser policy on AWS. The policy is
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
Now, following documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials) I have create custom policy that should allow user to manage their own passwords and keys:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
I am still getting and error
User: arn:aws:iam::1234567890:user/student is not authorized to perform: iam:CreateLoginProfile on resource: user student. Simulation gives explicit deny error, which is not the case according to these policies.

See below in the code where it says account-id-without-hyphens replace that with your account number and it will work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}

AWS IAM policy not working to restrict user to launch an instance in a particular VPC

I have a IAM policy that restricts a user to launch an instance in a particular VPC.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-west-2:accountID:instance/*",
"arn:aws:ec2:us-west-2:*:image/* ",
"arn:aws:ec2:us-west-2:accountID:subnet/*",
"arn:aws:ec2:us-west-2:accountID:vpc/vpc-ID",
"arn:aws:ec2:us-west-2:accountID:network-interface/*",
"arn:aws:ec2:us-west-2:accountID:volume/*",
"arn:aws:ec2:us-west-2:accountID:key-pair/*",
"arn:aws:ec2:us-west-2:accountID:tags/*",
"arn:aws:ec2:us-west-2:accountID:security-group/*"
]
},
{
"Sid": "Stmt1394644402000",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1394645330000",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:ReleaseAddress"
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:CreateTags"
],
"Resource": [
"*"
]
}
]
}
But the policy is not working. Also I want to restrict user from launching an instance in the ec2-classic.
Any help is appreciated.
Thanks