I tried to provide a policy following the samples here: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
But, I keep getting a warning and it does not work.
These are all I tried so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
Or
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"arn:aws:ec2:*:*:instance": [
"i-myInstanceId1",
"i-myInstanceId2"
]
}
}
}
]
}
Or even I tried to use more resource-based conditions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
],
"arn:aws:ec2:*:*:resourceTag/environment": [
"prod",
"Prod"
],
"ec2:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
In general, all I want to do is allow access to start session in SSM on servers which are not prod servers.
My EC2 prod servers all have a tag environment:prod
I get an error message on each condition which doesn't work:
There are no actions in your policy that support this condition key.
Example:
ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
I appreciate any help.
From the comments and some investigation, here's the answer:
From the docs, it is pretty easy to notice which actions support what conditions.
Unfortunately the examples provided for Restricting Access are wrong, i.e. there's an error in the documentation that contains the sample code.
A PR might be a good idea so others don't hang on the same thing.
Related
I have difficulties to allow access to S3 bucket only to one IdentityPoolId.
I tried such things but it's not working
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListYourObjects",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
]
}
}
}
]
}
Do you have an idea ?
My IdentityPoolId look like : "us-east-1:XXXXXXX"
Thank you!
im trying to create an aws iam role policy resource on terraform but i got the following error message: MalformedPolicyDocument: The policy failed legacy parsing
Already tried to parse on json formatters and things like that and the json policy looks fine so idk what im missing, thanks for the help!
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": [
"arn:aws:ec2:${var.REGION}:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"${element(aws_subnet.private.*.id, 0)}",
"${element(aws_subnet.private.*.id, 1)}"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"${aws_s3_bucket.codebuild.arn}",
"${aws_s3_bucket.codebuild.arn}/*"
]
}
]
}
POLICY
I haven't seen the error before, but Googling tells me the JSON parser/processor AWS is using for IAM policies seems very picky. I.e. Version has to come before Statement, etc.
In your particular case based on a comment I found I guess it might be about white space around your value.
The comment says:
Additionally, you cannot have an space before the initial "{".
Thus in Terraform what you might need is a trimspace around the whole value:
policy = trimspace(<<POLICY
{
"Version": "2012-10-17",
[... redacted for readability]
}
POLICY
)
I am getting the following error.
IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.
Please help me out here.
Here is my code.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:iam::197709948620:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/Finance": [
"Web Server"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
}
]
}
The following resource is incorrect:
arn:aws:iam::197709948620:instance/*
instance is ec2, not iam. It should be:
arn:aws:ec2::197709948620:instance/*
i'm scratching my head with this one i'm attempting to write an AWS Policy that'll basically constrict a (terraform) user to work in one specific region so that any accidental changes etc are kept to a minimum and the chances of accidentally hurting another environment are reduced. Keeping in mind that some services like IAM etc span outside of a region i've come up with a rudimentary one here, only problem is AWS is throwing the following error:
This policy contains the following error: The following resources are invalid. They must be either '' or an arn pattern: arn:aws:iam:,arn:aws:route53:* For more information about the IAM policy grammar, see AWS IAM Policies
Here's a copy of the policy thus far, any help would be appreciated.:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"NotResource": [
"arn:aws:iam:*",
"arn:aws:route53:*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:RequestedRegion": "us-west-1"
}
}
},
{
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:iam:*",
"arn:aws:route53:*"
]
}
]}
Could you please try this one :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1595231481806",
"Action": "route53:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-1"
}
}
},
{
"Sid": "Stmt1595231501844",
"Action": "iam:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-west-1"
}
}
}
]
}
I've never used AWS S3 before. We use it to automatically backup call recordings for clients. One of our clients for audit purposes needs access to their recordings.
I am using the client CyberDuck as a way to access the files.
I want to give them access to only their files.
Our file structure is as follows:
recordings/12345/COMPANYNAMEHERE/
I just learned that you build and do things based on scripts and policies. So I did some research and tried to build one but I get an access denied on listing.
Just curious if I am going about this correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE",
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE/*"
]
}
]
}
You have only given them permission to ListAllMyBuckets, which means they can only list the names of your buckets, and can't do anything else.
If you have already created an IAM User for them, then giving them this policy would allow them to list and retrieve their files, but only from the given directory (or, more accurately, with the given prefix):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/123/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/123/*"
]
}
]
}
If you do this a lot with customers, then you can use IAM Policy Variables to create a rule that substitutes their username:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/${aws:username}/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
]
}
]
}