I am trying to understand the below policy
Policies:
- PolicyName: InstanceIAMPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'ssm:DescribeAssociation'
- 'ssm:GetDeployablePatchSnapshotForInstance'
- 'ssm:GetDocument'
- 'ssm:GetManifest'
- 'ssm:GetParameters'
- 'ssm:ListInstanceAssociations'
- 'ssm:PutComplianceItems'
- 'ssm:PutConfigurePackageResult'
- 'ssm:UpdateAssociationStatus'
- 'ssm:UpdateInstanceAssociationStatus'
- 'ssm:UpdateInstanceInformation'
Resource: '*'
Effect: Allow
Action:
- 'ec2messages:AcknowledgeMessage'
- 'ec2messages:FailMessage'
- 'ec2messages:GetEndpoint'
- 'ec2messages:GetMessages'
- 'ec2messages:SendReply'
Resource: '*'
My question is related to resource parameter mentioned as *. Does that mean that the actions can be performed on any resource within your AWS infrastructure ? I am really new to CloudFormation templates and AWS. Thanks for your help.
The short answer is YES.
In your template you have two sections under Statements. Each section is defining "allow" actions. For each section you are "allowing" the APIs for ALL RESOURCES. The first section is for SSM and the second is for SSM EC2Messages.
Note: based upon the allow actions, you can merge those two sections together.
This link will help you with CloudFormation Templates:
Working with AWS CloudFormation Templates
The CloudFormation template in your question is creating an IAM policy. Your question is really about how wildcards work in IAM policies. The * wildcard in an IAM policy Resource element means that something with this IAM policy applied to it can perform the listed actions against any resource in your AWS account.
The policy appears to be a policy you would apply to an EC2 instance profile to allow the AWS SSM agent to perform any SSM tasks on that EC2 instance. Since thee resource is specifie as the * wildcard then the SSM agent could, for example, download any SSM document you send it (ssm:GetDocument). This basically allows the SSM agent to work correctly on the EC2 instance, without requiring you to grant it specific access to each thing you need it to do, every time you trigger it in the future.
Related
I have a policy, defined as cloudformation template below. I want to be able to describe what aws resources , they can create via cfn template. how do i do that? I have attached a sample example below?
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CFNUsers
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: '*'
Your policy has three Actions:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
These actions can be performed on all (*) CloudFormation (CFN) stacks, not "any IAM roles, users or other aws resources". This is because only CFN stacks can be acted upon using these three actions.
AWS::IAM::Policy is managed IAM policy. Such policies must be attacked to IAM user, role or group. This way you give permissions to perform the three actions on CFN stacks to who/what ever you are going to attach the policy to.
I am deploying a CloudFormation template to AWS. A role for my Lambda invocation is being created by a template that I am importing, and I cannot modify it directly. I wish to modify that role to attach the AWS managed policy AWSLambdaVPCAccessExecutionRole that already exists in my AWS account. So far, all of my searches have come up empty.
I have found instructions for how to create a new role with an existing managed policy
I have found instructions for how to create a new policy and attach it to an existing role.
I have found instructions for how to Update a Stack using the AWS console or the CLI, but not via a template (YAML or JSON)
I have found instructions for calling something called aws_iam_role_policy_attachment in something called Terraform, but that is not available to me
I am hoping for something like the following but I cannot find any evidence of this existing anywhere. Is there anything that can do what I am trying to do?
---
Resources:
AdditionalRolePermissions:
Type: "AWS::IAM::RolePolicyAttachment"
Properties:
Roles:
- Ref: ExistingRole
PolicyName:
- Ref: ExistingPolicy
The best solution I have come up with so far is to create a new policy that has a manually created PolicyDocument that is the same as the existing one for AWSLambdaVPCAccessExecutionRole and attach it to the role upon creation. I would prefer not to do that though because it will be harder to maintain.
Unfortunately, you can not do this in pure CloudFormation unless you create a custom resource but this isn't really pure CloudFormation at that point as you'd need to create a lambda and other resources to implement the custom resource. There is no concept of a policy attachment in CloudFormation presently and these attachments only happen when you define a policy or role resource.
The simplest thing would be to go with your solution of creating a policy that duplicates AWSLambdaVPCAccessExecutionRole. That policy is fairly simple and shouldn't clutter up your CloudFormation template too much compared to some other complicated policies.
It is possible as of 2021. Please see: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-attach-managed-policy/
Example:
AWSTemplateFormatVersion: '2010-09-09'
Description: something cool
Resources:
IAM:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
RoleName: some_role_name
Policies:
['arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']
I'm creating an RDS cluster and, in the same template, a policy with some permissions to allow particular actions over that cluster.
Statement:
- Effect: Allow
Actions:
- 'rds-data:BatchExecuteStatement'
- 'rds-data:ExecuteStatement'
Resource: 'arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-no1yzvzs29sq'
The problem is that AWS::RDS::DBCluster does not support Fn::GetAtt ARN, and, since RDS add that random string at the end of the ARN, in this example no1yzvzs29sq I don't know how can I use something like a wildcard to "whitelist" part of the name.
I would like something like
arn:aws:rds:us-east-1:1111111111:cluster:production-mycluster-rdscluster-*
But it doesn't work. I will appreciate help!
You can construct the ARN based on the Cluster name yourself.
For example:
Statement:
- Effect: Allow
Actions:
- 'rds-data:BatchExecuteStatement'
- 'rds-data:ExecuteStatement'
Resource: !Sub 'arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:cluster:${MyDBCluster}'
Based on the docs:
Amazon RDS Data API does not support specifying a resource ARN in the Resource element of an IAM policy statement. To allow access to Amazon RDS Data API, specify “Resource”: “*” in your policy.
So at this point it looks like you're stuck with a policy that looks like
Statement:
- Effect: Allow
Actions:
- 'rds-data:BatchExecuteStatement'
- 'rds-data:ExecuteStatement'
Resource: '*'
I am trying to create a full access role (using an AWS Managed Policy) to all EC2 instances to call AWS services via Cloudformation in YAML.
This is my code:
AWSTemplateFormatVersion: 2010-09-09
Description: Ansible Role
Resources:
AnsibleRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: 'Allow'
Action: 'ec2:*'
Principal:
Service: 'ec2.awsamazon.com'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonEC2FullAccess'
RoleName: 'EC2-FullAccess'
DeletionPolicy: Delete
I get the following error:
Invalid principal in policy: "SERVICE":"ec2.awsamazon.com"
(Service: AmazonIdentityManagement; Status Code: 400; Error
Code: MalformedPolicyDocument; Request ID: e43214f8-b6f9-11e9-9891-4dc84fd279dd)
I am perplexed as to why it doesn't recognize the service. Additionally, if I change Action: 'ec2:*' to Action: 'sts.AssumeRole' I get another error.
Any assistance is greatly appreciated.
There are multiple issues with your template:
The service identifier is malformed. It should be 'ec2.amazonaws.com'.
The action must be 'sts:AssumeRole'. This is the only action which is valid inside an IAM trust policy.
The DeletionPolicy is not necessary because it is the default for this resource.
Set the RoleName only if really necessary because IAM names are global on a per-account basis and you cannot execute multiple stacks when using this attribute.
For more information see the AWS CloudFormation template examples.
You use the correct managed policy ARN if you want to grant your new role permission to call all kinds of ec2 actions. If you want to restrict your Ansible role further, take a look at the example policies for EC2 in the docs [1][2]. They are much more restrictive (and thus secure) than the managed full access policy AmazonEC2FullAccess. Maybe also the other managed policies such as AmazonEC2ReadOnlyAccess [3] are feasible?
References
[1] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html
[2] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html#intro-to-iam
I have started getting the following error recently on release change action int eh AWS codePipeline console. Also attaching the screenshot
Action execution failed
Insufficient permissions The provided role does not have permissions
to perform this action. Underlying error: Access Denied (Service:
Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:
CA26EF93E3DAF8F0; S3 Extended Request ID:
mKkobqLGbj4uco8h9wDOBjPeWrRA2ybCrEsVoSq/MA4IFZqJb6QJSrlNrKk/EQK40TfLbTbqFuQ=)
I can't find any resources online anywhere for this error code.
Your pipeline is trying to access a S3 bucket, but AWS CodePipeline ServiceRole does not have permission to access it. Create an IAM policy that provides access to S3 and attach it to the CodePipeline service role.
As #Jeevagan said, you must create a new IAM Policy that grant access to the Pipeline Buckets.
Do not forget to add the following actions:
Action:
- "s3:GetObject"
- "s3:List*"
- "s3:GetObjectVersion"
I lost a few minutes because of this one in particular: GetObjectVersion
By checking your codedeploy-output, you'll be able to see that the process is downloading a particular version of your artefact with the parameter "versionId".
Hope it will help.
You are missing the GetBucketVersioning action in your policy, so the correct example looks like below. I don't know why it's not mentioned anywhere in the reference/documentation:
- PolicyName: AccessRequiredByPipeline
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Effect: Allow
Resource: !Sub ${YouBucket.Arn}/*
- Action:
- s3:GetBucketVersioning
Resource: !Sub ${YouBucket.Arn}
Effect: Allow
- Action:
- kms:GenerateDataKey
- kms:Decrypt
Effect: Allow
Resource: !GetAtt KMSKey.Arn
Another potential culprit that mascarades behind this error that references S3 is missing KMS permissions on the IAM Role for the CodePipeline. If you configured your CodePipeline to use KMS encryption, then the service role used/associated with the CodePipeline will also need KMS permissions to that KMS key in order to interact with the KMS encrypted objects in S3. In my experience, the missing KMS permissions will cause the same error message to appear which references S3.
I just ran into this issue, but the permissions were all set properly - I used the same CloudFormation template with other projects no problem. It turned out that the key name I was using in the S3 bucket was too long. Apparently it doesn't like anything more than 20 characters. Once I changed the key name in my S3 bucket (and all of its associated references in the CloudFormation template files), everything worked properly
I run into the same issue when I used cloud formation to build my CI/CD, my problem was the CodePipeline ArtifactStore pointed to the wrong location in the S3 ("codepipeline" a not allowed access folder in my case). Changing the ArtifactStore to an existing folder fixed my issue.
You can view pipeline details like where the SourceArtifact is pointed by following this link