I was trying a policy to predefine the tag value so that the instance should not be created if you don't create required tag and its value while you launch i,e the instance should have costcenter and dept as tags and value should be 115 and the prod. Then only we should be able to launch the instance. Can someone help me in this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:region::image/*",
"arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:security-group/*",
"arn:aws:ec2:region:account:key-pair/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:region:account:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
you can try this sample which will deny action if only one tag is present, you can modify the code with your tags multiple blocks state for multiple policy :
{
"Sid": "AllowLaunchOnlyWithRequiredTags1",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/costcenter": "true"}
}
},
{
"Sid": "AllowLaunchOnlyWithRequiredTags2",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"Null": {"aws:RequestTag/stack": "true"}
}
}
Furthermore you can list the tag enforcement as :
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/stack": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["costcenter","stack"]
}
}
According to AWS Documents for ForAllValues
the ForAllValues qualifier requires all requested values to be listed
in the policy
Another way You could do something using StringLike or StringNotLike, but it's limited to wildcards if that works for you.
Something Like :
"Statement": [
{
"Sid": "DenyMissingTags",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*",
"Condition": {
"StringLike": [
"aws:RequestTag/costcenter": "*",
"aws:RequestTag/stack": "*"
]
}
}
]
Refer this
Related
i have a use case where i need to enforce the tag on spot fleet request. i am able to enforce tags on ec2 launch wizard but the same does not work on instances requested through spot fleet request.
This is my current policy to enforce tag on ec2 launch wizard. what shall be added to enforce the same for spot-fleet-request.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/username": "${aws:username}",
"aws:RequestTag/REQUIRED_TAG": "true"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"REQUIRED_TAG",
"username"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/username": "${aws:username}"
}
}
}
]
}
Policy for spot fleet request
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:RequestSpotFleet",
"ec2:ModifySpotFleetRequest",
"ec2:CancelSpotFleetRequests",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/username": "${aws:username}",
"aws:RequestTag/REQUIRED_TAG": "true"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"REQUIRED_TAG",
"username"
]
}
}
}
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"iam:ListInstanceProfiles"
],
"Resource": "*"
}
]
}
Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-requests.html
I have a application which uses
Cognito User Pool/Identity Pool to authenticate user and provide access to aws Console using Custom URL
I want those user should see their resources only, I have researched a lot but can't find any solution
For S3, I tried this policy but it still says access denied. What actual value "${cognito-identity.amazonaws.com:sub}" this will give.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${cognito-identity.amazonaws.com:sub}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*"]
}
]
}
For EC2, I am using below policy, If i hard code some value in It works but I want this to be dynamic for Cognito Users. I tried placing but not working.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "<KeyValue>"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"NotResource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "<KeyValue>"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"RunInstances",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/owner": "<KeyValue>"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateSnapshot",
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/owner": "<KeyValue>"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateSnapshot",
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/owner": "<KeyValue>"
}
}
}
]
}
To refer my application, Here is the link for my Code. Any leads would be appreciated.
This is the policy I was trying to allow creation of instances only when it has tags costcenter and dept with values 115 and prod .but when I test it the instance getting created even with out these tags
{
"Sid": "AllowTaggedInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:us-east-1:729964090428:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
The policy that you showed, does not have enough permissions to create an instance. This means that you have another policy or role that is overriding this one.
In your policy replace the word "RequestTag" with "ResourceTag".
Note: The best policies using conditions do not use "allow if this" but instead use "deny if NOT this". A deny will override all allows.
Here is a link to help you with ResourceTags:
EC2 Resource Tags
Your policy is not enough permission and policies to restrict.
If you want to allow user to create new instance with tags costcenter:115 and dept:prod, try below policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:region::image/*",
"arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*",
"arn:aws:ec2:region:account:security-group/*",
"arn:aws:ec2:region:account:key-pair/*"
]
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/costcenter": "115",
"aws:RequestTag/dept": "prod"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"dept"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:region:account:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!
You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}
Story: "As a user responsible for issuing refunds, I would like to be able to download from any AWS s3 folder that contains the name 'New Sales File'"
This is the first time I've needed to do a wildcard at the start of a prefix. What should this prefix line be: "s3:prefix": "//New Sales File/*"
Full policy is below. [DELETED represents sensitive information that I removed -- values don't match pattern]
{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DELETED"
]
},
{
"Action": [
"s3:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DELETED"
],
"Condition" : {
"StringLike": {
"s3:prefix": "*/*/New Sales File/*"
},
"StringEquals": {
"s3:delimeter": "/"
}
}
},
{
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DELETED"
],
"Condition": {
"StringLike": {
"s3:prefix": "*/*/DELETED/"
},
"StringEquals": {
"s3:delimiter": "/"
}
}
},
{
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DELETED"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "DELETED"
}
}
}
]
}