I'm looking to create a policy that allows access to all AWS services except for the Delete permissions. I see that I can do the following but you have to label every AWS service and "*:Delete*" doesn't work. Is there an easier way to allow all services except for the Delete permissions?
...
"Effect": "Allow",
"NotAction": [
"application-autoscaling:Delete*",
"autoscaling:Delete*"
],
"Resource": "*"
...
According to the official IAM documentation you have to list all the services.
Based on the grammar you can either define "NotAction": "*" or "NotAction": ["s3:Delete*", "ec2:Delete*", ...]
For further info see action_string section here and policy grammar here.
Related
I am working on serverless where it would be used to deploy lambda functions and corresponding REST APIs using API Gateway.
The problem I am facing is that I need to give programmatic user permission to create API-Gateway with specific prefix only.
Giving permission for POST action on this resource "arn:aws:apigateway:us-east-1::/restapis" seems to give permission to create apis with any name, and "arn:aws:apigateway:us-east-1::/restapis/ps-sls-*/*" doesn't seems to working (ps-sls- is the prefix).
AWS docs are abhorently unclear to me regarding this topic.
Here's a snippet of policy doc I am using
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:*",
"lambda:*",
"cloudformation:*",
"apigateway:*"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:XXXXXXXXXX:stack/ps-sls-*/*",
"arn:aws:lambda:us-east-1:XXXXXXXXXXX:function:ps-sls-*",
"arn:aws:apigateway:us-east-1::/restapis",
"arn:aws:s3:::ps-sls-*"
]
}
I've been able to generate a user policy that only gives access to a specific bucket, however after trying everything (including this post: Is there an S3 policy for limiting access to only see/access one bucket?).
The problem: I am unable to restrict the listing of the buckets down to just one bucket. For a variety of reasons, I do not want the listing to show any buckets other than the one specified.
I've tried a variety of policies, to no avail. Here's my latest policy JSON which is working as far as restricting operations, but not listing:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"NotResource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::acgbu-acg",
"arn:aws:s3:::acgbu-acg/*"
]
}
]
}
Any help would be greatly appreciated. I'm beginning to wonder if it's even possible.
It is not currently possible to restrict the list of buckets to show only one bucket.
The AWS console relies on the ListAllMyBuckets action to get the list of buckets owned by the user, but the returned list can not be restricted by using an Amazon Resource Name (or ARN; the only ARN that's allowed for ListAllMyBuckets is arn:aws:s3:::*).
This limitation isn't clearly explained in the official AWS docs, but ListAllMyBuckets is a service level API call (it's also called GET Service in the REST API), not a bucket level API call and its associated ARN in the IAM policy refers to the S3 service an not to a specific bucket.
For possible workarounds, see this answer on StackOverflow:
The free "S3 Browser" (this works on my version 3-7-5) allows users with the proper permissions to "Add External Bucket" for the account, all they need to know is the name of the bucket. This allows them to "see" their bucket and the contents (and what ever abilities they've been given inside that bucket), they won't see any of the other buckets.
To make the bucket "play nice" with the S3 Browser behavior, I suggest the following IAM Policy for the User or Group:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::acgbu-acg"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::acgbu-acg/*"
}
]
}
It's a work around, and it's okay if the user only needs to do it once. But if the buckets your user is accessing are changing around a lot then this work around isn't very practical.
I came here looking for how to restrict access to a bucket to one (or a list of) user(s). Maybe, post title is ambiguous ?
Anyway, it seems to have Google's favor, so let's enrich it a little :
If you need to restrict access to a bucket to some user(s), follow those steps :
First, get the IDs of the user you want to grant rights to.
This can be achieved using the awscli command aws iam list-users
Those IDs look like this : "AIDAIFKYAC9DNJXM2CRD", or "AIDAZ362UEKJCJMFFXCL"
Please, comment if it's available in the web console.
Once you got the ID(s) that must be given access, put a policy on the bucket you want to protect.
To do this with the web console :
-> Open S3 -> Open your bucket -> Select the "properties" tab -> Click on "Edit bucket policy"
To apply the policy using awscli, create a file with the policy's content, and put it on your bucket using this command :
aws s3api put-bucket-policy --bucket NAME_OF_YOUR_BUCKET --policy file:///path/to/policyFile.json
Of course, set YOUR_BUCKET_NAME and the file's path to your values, BUT DON'T remove the file:// prefix before your file's name
Warning : this deny policy will override the default "access to s3" a user could have. This means you can deny access to your OWN user with this. Use with caution !
I'm even afraid you could make a bucket fully innaccessible.
Out of curiosity, I tried accessing with our account's root user, which I didn't grant access to, and effectively couldn't.
Gotta ask this to support, and hopefully update this answer.
Anyway, I'm sure you'll be careful enough, so here's a sample policy.
Just replace the bucket's name with yours and the userId(s) with the one(s) you want to authorize to access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDAXAXAXAXAXAXAXAXAX",
"AIDAOXOXOXOXOXOOXOXOX",
"AIDAXIXIXIXIXIXIXIXIX"
]
}
}
}
]
}
For something more specific, or if you want to use roles instead of users, see this AWS post explaining in detail how to restrict access to a buckets
Hope this helps
The original poster was asking about a user policy. This would be attached to particular user(s) while others may have more leineint policies (or no policy) applied to them. A typical use case would be where you only want to restrict one user, whose credentials need to be shared outside the highest trust group. User policy is the way to go for that..
Is it possible to create a sub-account or sub-user that is limited in what he can see and/or do in AWS based on tags for example?
I have tried using policies, but for instances this wouldn't work, because you can't limit it on a resource level.
This makes it that either they can controll and see everything, or nothing at all.
is there anything that I have missed?
The question scope just too wide. Please study the IAM Guides and play around with IAM policy generator condition.
Even playing around with ARN that allow wildcard, you still need to define some explicit prefix/suffix for those wildcard values. For EC2, you need to understand EC2 resource ARN and possible need to mix with "Condition" to add restriction.
Here is an example of using policy generator for a policies that only allow run,start and stop instance, and it restrict to EC2 with resource tag serverX. When you attach this policy to the user, they can only do the following task. You may need to add further condition to make sure the user doesn't see instances belongs to others, by enforcing the tag name creation yourself.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1462794515000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "serverX"
}
},
"Resource": [
"arn:aws:ec2::1234567890:instance/*"
]
}
]
}
You can play around with AWS policy Simulator. Another good reference is AWS inline policies and managed policies
What policy templates should an AWS IAM user have in order to deploy and maintain an EB application (e.g. website code from a client machine)? IAMReadOnlyAccess plus PowerUserAccess seem sufficient, but I'm wondering whether the latter is overkill. Can I restrict policies to a single EB instance or application?
When you create an IAM role in the Web Console, there is a pre-defined role called ElasticBeanstalkFullAccess. This will give you full permission to all underlying resources that elastic beanstalk needs. You can see the general doc on this.
Restricting to specific environments or applications is much harder, but doable. It requires you to restrict the user to specific resources using arn's, including all underlying resources and their arn's. See the doc on this.
For reference, the full elastic beanstalk policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"iam:PassRole"
],
"Resource": "*"
}
]
}
I am working on Amazon web services. Designing the custom IAM policies.
I have a user which have restricted access on the instances like he can start,stop the instances. Similarly i want to restrict the user to attach,delete specific volumes.
I have created this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:DescribeInstances","ec2:DescribeInstanceStatus","ec2:DescribeVolumeAttribute","ec2:DescribeVolumeStatus","ec2:DescribeVolumes"], ,
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID"
}
]
}
when I apply this policy it does not show me any volumes.
I get an error:
error fetching the volume details.
Any lead is appreciated
Thanks
Update
The best way to test/debug IAM policies is by means of the fantastic IAM Policy Simulator (see Using the IAM Policy Simulator for the actual link and instructions). With its help, the solution below can easily be verified to be working correctly.
I recommend to add a dedicated test user to your account with no policies attached (i.e. implicit Deny All) and then using the Mode: New Policy to assemble and simulate the policy in question, e.g. for the use case at hand:
use two volumes and allow one via the policy, then simulate the policy with both resources, one will yield denied and the other allowed for AttachVolume and DetachVolume
Once satisfied, you can apply the assembled policy to the entities in your account and recheck via Mode: Existing Policies.
Initial Answer
I wonder how you have been able to apply this IAM policy, insofar it is syntactically invalid JSON (the Action field within the first Statement lacks any value)?
The syntax error aside, that's also the source of your problem:
As indicated by TheseActionsDontSupportResourceLevelPermissions, a few EC2 API actions do not support the comparatively new Resource-Level Permissions for EC2 and RDS Resources yet, see this note from Amazon Resource Names for Amazon EC2:
Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional
Amazon EC2 resources later. For information about which ARNs you can
use with which Amazon EC2 API actions, as well as supported condition
keys for each ARN, see Supported Resources and Conditions for Amazon
EC2 API Actions.
You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing. This also includes the ec2:DescribeVolume* actions, which is why you receive the error.
Fixing the first statement as outlined below should remedy the issue:
{
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Action": [
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:<region>:<account number>:volume/<volume id>"
}
]
}