I am currently trying to configure an AWS policy for CodeCommit so that only one specific repo is shown on the repository overview page in the AWS GUI.
Currently my policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codecommit:Merge*",
"codecommit:Post*",
"codecommit:Describe*",
"codecommit:Update*",
"codecommit:Get*",
"codecommit:Test*",
"codecommit:BatchGet*",
"codecommit:GitPull",
"codecommit:Create*",
"codecommit:Put*",
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:List*"
],
"Resource": "arn:aws:codecommit:eu-central-1:12345678:mycompany.drupal.myrepo.website"
}
]
}
But on the overview page I am always running into this error:
Error
User: arn:aws:iam::123456789:user/myuser#mycompany.de is not authorized to perform: codecommit:ListRepositories
My guess is that your policy is too restrictive for the AWS system being referenced ie CodeCommit. It may require List* and/or Describe*permissions to all repos, in order to perform its basic functions, such generating a list of all current repositories in the account, as it does on the overview page.
As a test, give codecommit:List* and codecommit:Describe* permissions to Resource: "*" only, as a second policy statement, leaving the more restrictive permissions referencing the specific resource as the first statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictCodeCommitAccessToSingleRepo",
"Effect": "Allow",
"Action": [
"codecommit:Merge*",
"codecommit:Post*",
"codecommit:Update*",
"codecommit:Get*",
"codecommit:Test*",
"codecommit:BatchGet*",
"codecommit:GitPull",
"codecommit:Create*",
"codecommit:Put*",
"codecommit:GitPush",
"codecommit:DeleteBranch"
],
"Resource": "arn:aws:codecommit:eu-central-1:12345678:mycompany.drupal.myrepo.website"
},
{
"Sid": "AllowBasicCodeCommitAccess",
"Effect": "Allow",
"Action": [
"codecommit:Describe*",
"codecommit:List*"
],
"Resource": "arn:aws:codecommit:eu-central-1:12345678:*"
}
]
I know this does not meet your objective of listing only the specific repo authorized, but you will still have denied all Create*,Put*,Update* etc type operations to all other repos. That should meet the main security objective of restricting R/W access to all other repos except mycompany.drupal.myrepo.website.
In my permission setups for users/groups, I often allow base operations like Get* List* Describe* for users to allow basic operations in the AWS console to function, even if I am more restrictive with one or more of those resources.
Unfortunately there is no way for you to do this right now. ListRepositories in CodeCommit will not filter results by authorization, this is a common pattern across many AWS services' List APIs.
AWS ListRepositories does not support resource-level permissions. This requires a wildcard (*) for the resource.
Related
I am trying to simulate an IAM policy I want to attach to a user so I can restrict their access to two buckets, one for file upload and one for file download.
The policy simulator tells me that the following policy does not work and I cannot figure out why, but it seems to be to do with the wildcards.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket-*-report-output/*.csv"
]
},
{
"Sid": "PutObjects",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::mybucket-*-report-input/*.csv"
]
}
]
}
The policy simulator says the following policy does work however:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetObject",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket-*-report-output"
]
},
{
"Sid": "PutObjects",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::mybucket-*-report-input"
]
}
]
}
There must be something I am missing about how to structure the policy, but I want to restrict access to the buckets in the policy, for the operations mentioned, but I also want to ensure that the user can only add and retrieve files with .csv extension.
Below is a screenshot of the simulator:
Your policy is 100% correct - the IAM Policy Simulator is showing wrong results for some absurd reason.
I also can reproduce your problem using the above policy, and the results are all over the place - sometimes both allowed, both denied, only one allowed etc.
It seems to be having an issue with the double wildcard, and sometimes it is coming back with the wrong resource ARN being evaluated in the HTTP response being returned (I'm sometimes seeing both ARNs set to output instead of only 1 set to output in the network tab for the HTTP response - caching?).
It's not limited to PutObject either only and it's giving me loads of conflicting results with the double wildcard, even for other actions like s3:RestoreObject.
Regardless, I'm not sure what the issue is but your policy is correct - ignore IAM Policy Simulator in this case.
If you have access to AWS Support, I would create a support ticket there or post this same question as a potential bug on the AWS forums.
Evidence of a conflicting result, even though I have exactly recreated your scenario:
Invalid Action: The action s3:ListObjects does not exist. Did you mean s3:ListBucket? The API called ListObjects authorizes against the IAM action s3:ListBucket.
Getting error for policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3fileAccess",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:ListObjects",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::files-*",
"arn:aws:s3:::log-files-*"
]
}
]
}
That's correct, ListBucket "Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)". There is a different permission to list the buckets (ListAllMyBuckets). These names are a little odd, and I suspect it's a legacy issue, given that S3 was the first generally available service.
You can find all the permissions here: Actions, resources, and condition keys for AWS services
I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
]
}
]
}
I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..
After I placed the code in JSON editor, in Policy Review step I got this message:
This policy defines some actions, resources, or conditions that do not
provide permissions. To grant access, policies must have an action
that has an applicable resource or condition. For details, choose Show
remaining Learn more
The AWS documentation mention exactly the same configuration or these examples.
I assume you connect as that user in the console (but it would be the same with CLI) Here is what I think is happening:
To list all the instances, the console most probably calls the DescribeInstances API. As per the list of action/resources/tags that can be used in IAM policy, this API does not support the resource filter in IAM.
This means your user has no authorization to list instances and they will not be shown in the console. You can validate this theory by using the CLI to request the details of a specific instance id, if my hypothesis is correct, it will be authorized.
As DescribeInstances can not be restricted by resource or tags, I don't think it is possible to filter the instance list for a user.
To have the console working, you'll need to add the following statement in your IAM policy
"Statement": [
{ your existing statement },
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
Please report if I was right :-) The example you mentioned in your question shows exactly that : Resources = * on DescribeInstances and Resources specific InstanceId on other operations.
The previous answer is wrong, you can Conditionally allow access to ec2:DescribeInstances by tag names. It's an AWS best practice as well. Also explicitly deny access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags to take control of the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
DescribeInstances action does not support condition.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
Is there a way to restrict the IAM policy for an EC2 instance s.t. it can only run a short list of Documents - I tried restricting access to ssm:GetDocument like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetDocument"
],
"Resource": [
"arn:aws:ssm:ap-southeast-2:*:document/MyCommand"
]
}
]}
But I can run any command on the instance still including the AWS-RunPowershellScript document.
This link shows how users can be restricted with respect to ssm:sendCommand:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delegate-commands.html
I have not found a way to restrict SendCommand based on document. If a user does not have access, you get an error like this:
User: arn:aws:iam::123456789012:user/username is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:123456789012:instance/i-01234567890abcdef
This indicates that the Resource in SendCommand can be limited based on instance ids. It would be nice if one of the Conditions was a Document ARN, but so far I haven't found any way to do it (it's not a condition in the policy generator wizard).
Update: I posted this question on the AWS forums, hopefully I'll get a response: https://forums.aws.amazon.com/thread.jspa?threadID=249039
Update 2: I got a response and the solution is that to accomplish this you must use Resource to specify both what instances you allow commands to be run on, and what document the user is allowed to run. For example, this is what I ended up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand"
],
"Resource": [
"arn:aws:ec2:*:123456789012:instance/*",
"arn:aws:ssm:*:123456789012:document/RestartServices"
]
}
]
}
Currently I have group with a policy that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449507915000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::artmakeit",
"arn:aws:s3:::artmakeit/*"
]
},
{
"Sid": "ListAllBuckets",
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*"
}
]
}
So, the IAM user, my client, can access his bucket correctly. But I am wondering if I can only let him see his bucket and not the complete list of my buckets. Is there a way to achieve this? I guess I should change the ListAllBuckets permission, but I don't know what to write instead, any ideas?
If users intend to access their buckets via the AWS Management Console, then they require the ListAllBuckets permission.
It is not possible to 'hide' the complete bucket list when using the console -- either they see them all or none at all.
Access via other methods (eg the AWS Command-Line Interface (CLI) or an API call) does not require that this permission be assigned.