I have a Elastic Beanstalk application running on an EC2 instance, currently I have given admin privileges to all my co-workers. However now I want to add other environments and web applications that I don't want my co-workers to have access to. I've been looking at Resource-Level Permissions but I'm pulling my hair out trying to get it to work. Sometimes It works intermittently and I'm looking for advice on how I can achieve this from anyone with previous experience.
In a nutshell: I have [Application A] that I want users to have access to. I also have [Application B] and [Application C] that I want to restrict access to so only I can see and make changes to it.
Here is my current IAM Policy JSON;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ecr:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"sns:*",
"cloudformation:*",
"dynamodb:*",
"rds:*",
"sqs:*",
"iam:GetPolicyVersion",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:ListServerCertificates",
"acm:DescribeCertificate",
"acm:ListCertificates",
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:myregion:myaccountid:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name":"mytag"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:myregion:myaccountid:environment/myapp/myenv"
],
"Condition": {}
}
]
}
Derived from here. I would really appreciate if someone with more experience with IAM policies could identify what I'm doing wrong and how to do it properly & If there is a simpler way of doing this I would love to hear it also!
Thanks!
Since your co-workers already have admin access, you need a Deny policy.
The following policy explicitly denies access to all Amazon EB resources other than the listed resources
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "elasticbeanstalk:*",
"NotResource": [
"<Application A ARN>"
]
}
}
Related
I am trying to create an IAM user that will have least privileges to be able to view enhanced monitoring for a particular RDS database. I have created a ROLE (Enhanced Monitoring) and attached a managed policy to it:'AmazonRDSEnhancedMonitoringRole'. This role is passed to RDS database using the passrole permission. The policy that I am attaching to this IAM user is as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"rds:*",
"cloudwatch:GetMetricData",
"iam:ListRoles",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DeleteAnomalyDetector",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAnomalyDetectors",
"cloudwatch:ListMetricStreams",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:ListDashboards",
"ec2:*",
"cloudwatch:PutAnomalyDetector",
"cloudwatch:GetMetricWidgetImage"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"cloudwatch:*"
],
"Resource": [
"arn:aws:cloudwatch:*:accountnumber:insight-rule/*",
"arn:aws:iam::accountnumber:role/Enhanced-Monitoring",
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
}
]
}
As you can see,I have given almost every permission to this user, but still I am getting 'Not Authorized' error on the IAM user RDS dashboard for enhanced monitoring, although cloudwatch logs are displaying normally.
I managed to solve the error by modifying the policy. Since Enhanced Monitoring utilizes CloudWatch logs, I added a read-only cloudwatch logs policy(CloudWatchLogsReadOnlyAccess). This policy is mentioned here in AWS documentation. I also added a cloudwatch:GetMetricData permission as suggested on the RDS console. The overall policy is also more compact now:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account_number:role/Enhanced-Monitoring"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:*",
"logs:Describe*",
"logs:List*",
"logs:StartQuery",
"ec2:*",
"iam:ListRoles",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"logs:Get*",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}
The setup is working fine now.
I created an IAM user named sally and did not attach any managed policy while creating. Then attached the following IAM policy to it.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "S3:*",
"Resource": [
"arn:aws:s3:::cat-pics",
"arn:aws:s3:::cat-pics/*"
],
"Effect": "Allow"
}
]
}
But when I log in as sally user into the console, I keep getting the following error:
Error
Access Denied
Basically, the user is not able to see the cat-pics bucket or any objects uploaded to it. What am I missing here? Do I need to add any managed policy to the user? Please let me know.
Thanks
This is the correct policy document for a user trying to access buckets through console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsSupportBucketResourceType",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::cat-pics"
]
},
{
"Sid": "TheseActionsRequireAllResources",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts"
],
"Resource": [
"*"
]
},
{
"Sid": "TheseActionsRequireSupportsObjectResourceType",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cat-pics/*"
]
}
]
}
Detailed explanation for the issue is provided here:
https://aws.amazon.com/blogs/security/iam-policy-summaries-now-help-you-identify-errors-and-correct-permissions-in-your-iam-policies/
Thanks
The problem is that this policy allows full access to only this bucket, but if you use the Console you need other permissions to reach that. The AWS documentation states that you need the GetBucketLocation and the ListAllMyBuckets permissions, which are outside of the bucket, to use the console.
Add this to the policy and it should work:
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
I am having the requirement of creating the policy that will have access to the custom created ssm document only can run in the specified EC2 instance.
I have tried policy something like this but it is not sufficient to control the document to be run on the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2messages:DeleteMessage",
"ec2messages:GetEndpoint",
"ec2messages:FailMessage",
"ec2messages:AcknowledgeMessage",
"ec2messages:SendReply",
"ec2messages:GetMessages"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssm:UpdateAssociationStatus",
"ssm:ListInstanceAssociations",
"ssm:ListAssociations",
"ssm:UpdateInstanceAssociationStatus"
],
"Resource": [
"arn:aws:ssm:us-east-1:xxxxxxxxxx:document/xxxxxxxxxx",
"arn:aws:ec2:us-east-1:xxxxxxxxxx:instance/*"
]
}
]
}
Is this doable ?
Help is much appreciated. Thanks
I have made a RDS instance and want to grant one of my user to access to that RDS instance. I'm wondering how I can give this permission.
I have granted RDSFULLACESS in attach policy of my IAM user then simulate it like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
}
]
}
But my user still can not access to this RDS instance,what's the problem? he can make it himself but I don't want he makes another one!
Any help would be appreciated.
Please find below policy for single user single rds start-stop access.
Create below policy and give rds arn in the resource section.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:DescribeDBSnapshots",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBParameters",
"rds:DescribeDBParameterGroups",
"rds:StopDBInstance",
"rds:StartDBInstance"
],
"Resource": [
"arn:aws:rds:us-east-1:accountnumber:db:dbidentifier"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
Attach this policy to user whome you want to grant access.
If the policy above has the correct ARN for the database and is attached to the IAM user then it will allow full management actions on the RDS database, things like stopping the database or restoring a backup.
To explictly exclude the "Create" permissions, based on the list on this page
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_rds.html
include all the permissions you do need, for example. In this context "Deny" always beats "Allow". "Create" permissions are ok vs. the already existing database but don't apply elsewhere.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:*",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sns:ListSubscriptions",
"sns:ListTopics",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
},
{
"Effect": "Deny",
"Action": [
"rds:Create*"
],
"NotResource": [
"arn:aws:rds:eu-west-1:accountIDofIAMUser:db:instancename"
]
}
]
}
I haven't tested this policy, it's just an example
If the user needs access to the database as a consumer of data then this is not managed in this way. They need to have two things for this
# network access to the RDS instance via correct networking and correctly setup security groups
# user account credentials for the database
For mysql the process of initially connecting is described here http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html
The following AWS Policy is meant to be bound to an IAM group and then added to users. This will grant every user in the group access to their own folder on Amazon S3.
Now the problem is that with this Policy users still get Access denied in their own folder, they can not list the buckets or perform any other operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/home/${aws:username}",
"arn:aws:s3:::bucketname/home/${aws:username}/*"
]
}
]
}
What I eventually would like is that the user is able to put and get files from their own folder, but not see any of the other folders or buckets, but that doesn't seem possible with this policy.
Ideas?
Apparantly it takes up to a few minutes for the policy to apply, policy validates fine now.