AWS IAM CustomPolicy - amazon-web-services

I have created a custom managed AWS IAM policy as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1567509959500",
"Action": [
"codecommit:DeleteBranch",
"codecommit:GitPush",
"codecommit:MergeBranchesByFastForward",
"codecommit:MergeBranchesBySquash",
"codecommit:MergeBranchesByThreeWay",
"codecommit:MergePullRequestByFastForward",
"codecommit:MergePullRequestBySquash",
"codecommit:MergePullRequestByThreeWay",
"codecommit:PutFile"
],
"Effect": "Deny",
"Resource": [
"arn:aws:codecommit:us-east-1:420843264582:ui-repos",
"arn:aws:codecommit:us-east-1:420843264582:API-repos"
],
"Condition": {
"StringEquals": {
"codecommit:References": "refs/heads/master"
}
}
}
]
}
But any user on which this policy is applied is getting 403 when Git pushes to any branch.
I want users to create branches, allow all operations on other branches except the master branch.
Thanks!

If this is the whole thing (you put the json inside the question really - why external link?), then you only have a deny statement and nothing to grant your users any rights to codecommit.

Related

sam pipeline bootstrap created an omnipotent role

In the CI/CD section of the AWS SAM tutorial workshop, when I ran
sam pipeline init --bootstrap and went through the configurations, a role was created with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Doesn't this grant the role complete permission over my AWS account which is a big no no? Or is it fine because the permission is granted to an AWS service, and not a user?
This is the trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Having a role that exists with those permissionsis fine.
When you create a vanilla AWS Account (in other words I am not including those created by enterprise landing zones like Control Tower) it comes with a policy called AdministratorAccess and a role called Administrator.
The best practice is in who or what you allow to use that policy and when.
Roles are preferred over users, since roles provide security credentials. With a user you have durable credentials you need to secure.
In this case you are allowing CloudFormation to assume this role. This makes sense since CloudFormation often needs to be able to create and modify any resources including IAM roles. If you know you will not be creating or modifying IAM resources you can user a more restrictive role (least privilege), for example using the PowerUserAccess policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}

AWS IAM policy restriction based on Tags not giving me any access

So I followed this AWS tutorial and created this IAM policy that should give access to any dynamodb action that has these keys. But as you can see in the image attached, it tells me I do not have any permission. Also it does happen to other services, so not only dynamodb, and also I tried to hardcode the 'access-project' tag in the policy as done with the 'access-environment as you can see.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllActionsSameProjectEnvironment",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:ResourceTag/access-environment": "pre"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"access-project",
"access-environment",
"Name",
"OwnedBy"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:RequestTag/access-environment": "pre"
}
}
}
]
}
error image
Any idea why is this happening? Thanks!
DynamoDB does not support Authorization based on tags as listed in the docs.

How to enforce Tag usage when creating S3 Buckets?

I want to prevent users from creating an S3 bucket when there is not Tag with the key 'project'.
Following policy won't work. It prevents creation in any case
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyCreationWithoutProjectTag",
"Effect": "Deny",
"Action": "s3:CreateBucket",
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:RequestTag/project": "*"
}
}
}
]}
Tag Enforcement for EC2 - AWS
and
Enforce tagging for AWS resources
did not help.
Go to Polices in AWS Organizations and select Tag policies. be sure to enable it if it isn't enabled prior. then create a policy like this. you can use the given json editor for this.
{
"tags": {
"Project": {
"tag_key": {
"##assign": "Project"
},
"enforced_for": {
"##assign": [
"s3:bucket"
]
}
}
}
}
In here, I have created a tag policy for Project tag. Once the tag policy is created, make sure to attach it to the target OU/Account.
After this, go to Policies again and select Service control policies (SCPs)
and if it isn't available, make sure to enable it. In there, create a new SCPs policy and add the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3CreationSCP1",
"Effect": "Deny",
"Action": [
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
In here I have created SCP to enforce previous tag policy. Once the SCPs are created, make sure that you attach it to the target OU/Account.

AWS S3 IAM grant access to buckets based on tags

I'm trying to grant a group of users access to all s3-buckets with a certain tag, but no access to all others.
The policy I've cobbled together looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAll",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowAllIfGroup",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Condition: : {
"StringEquals" : {
"s3.ResourceTag/allow-group": "s3-access-group"
}
},
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}
and I can't get it to work I have tried simulating the policy for ListBucket and ListAllMyBuckets against the arn of a tagged Bucket, ListAllMyBuckets works, ListBucket fails.
If I adapt this policy to ec2 (as in 'grant start/stop/terminate to instances if tag matches') it works like a charm.
Is this possible at all or does S3 not allow for matching buckets this way?
(further clarification: my bucket has tags "allow-group" and "AllowGroup" set, I was not sure if the dash may be a problem)
S3 does not support condition keys based on bucket tags (ResourceTag), but only on object tags.
See the full list of supported conditions keys here (Scroll down to "Condition Keys for Amazon S3"):
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-policy-keys
That's why it does not work.
I did some experimentation and was also unable to obtain the result you seek.
Firstly, online references to the S3 ResourceTag are rare, but AWS re:Invent 2016: AWS S3 Deep-Dive Hands-On Workshop gives an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"S3:ResourceTag/HIPAA": "True"
}
}
}
]
}
Note that it uses S3:ResourceTag rather than S3.ResourceTag.
I tried using this logic against both a bucket tag and an object tag but was unsuccessful in getting it to work. I suspect that ResourceTag is meant to refer to an object-level tag rather than a bucket-level tag, but couldn't prove this since it failed to work in both situations.
I used a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceTag/AllowGroup": "s3-access-group"
}
}
}
]
}
However, it would not give me access to an object even when both the bucket and the object had the appropriate tag.
AWS docs has a reference for all services which have support for use with AWS IAM and resource tagging here
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
At the moment, only object level tagging in S3 is supported:
¹ Amazon S3 supports tag-based authorization for only object resources.
² Amazon S3 supports service-linked roles for Amazon S3 Storage Lens.
Digging into the docs more, it appears as though PUT and DELETE operations on objects is not supported at the time of writing: https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html

Granting access to S3 resources based on role name

IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?
I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.
I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename.
The docs indicate that when using a role assigned to an EC2 instance the aws:username variable isn't set and aws:userid is [role-id]:[ec2-instance-id] (which isn't helpful either).
This really seems like something you should be able to do.. or am I coming at this the wrong way?
I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).
Instead, I tagged my role with a name and ended up with this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
(Cross-posted to AWS S3 IAM policy for role for restricting few instances to connect to S3 bucket based in instance tag or instance id)
Instead of using aws:SourceArn, use aws:userid!
The Request Information That You Can Use for Policy Variables documentation that you mentioned has a table showing various values of aws:userid including:
For Role assigned to an Amazon EC2 instance, it is set to role-id:ec2-instance-id
Therefore, you could use the Role ID of the role that is used to launch the Amazon EC2 instance to permit access OR the Instance ID.
For example, this one is based on a Role ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"AROAIIPEUJOUGITIU5BB6*"
]
}
}
}
]
}
Of course, if you are going to assign permission based on a Role ID, then you can just as easily grant permissions within the Role itself.
This one is based on an Instance ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"aws:userid": [
"*:i-03c9a5f3fae4b630a"
]
}
}
}
]
}
The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).