We Keep Coding

AWS EC2 RunInstance SCP Tag Policy failure

I am trying to implement an AWS tagging policy at the AWS Organization level.
This will cover many AWS services but the immediate issue is related to EC2.
This policy results in an error when I try to use the AWS CLI command : ec2 run-instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"ec2:Run*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
However this policy succeeds.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
},
{
"Sid": "DenyResourceCreationSCPEC2",
"Effect": "Deny",
"Action": [
"ec2:RunInstance"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
Can someone explain please why the resource condition for "*" full wildcard does not work for ECS2 RunInstance?
Why does the volume,instance,security-group-network-interface resource type need to be explicit?
Thanks

AWS Policy that allows only one SSO user to access a resource

We are in a process to move all of our IAM users to aws SSO
we used to have this IAM policy for sagemaker :
"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:DescribeNotebookInstance",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/${aws:username}*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
"
this would give access to each user to use his\hers own notebook in sagemaker
now on the new SSO permission set i gave this:
"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:*"
],
"Resource": "arn:aws:sagemaker:::notebook-instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance"
],
"Resource": "*"
}
]
}
"
this is what i tried but i cant make it work please assist?
i also treid using the attributes and many other things
but i just cant make it work
please if you have any suggestions

apprently on the SSO permission set we must write the region and account number of the resource
so the fix was just adding that to the resource part like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl"
],
"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
"Condition": {
"StringEquals": {
"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
thanks to Yash_c from repost.aws

Unable to access AWS Elasticsearch cluster, IAM policy issue

I'm unable to access AWS ES cluster that has the following access policy, My IP is one of the IP listed, please advise if you there is something missing.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*"
}
]
}

I did some more digging, I believe this is what you are looking for:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
"arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"52.000.000.07",
"54.00.000.000"
]
}
}
}
]
}
There is some more detail here in my repo wiki page

AWS policy how to access to IP or ARN?

How to create AWS policy giving access to some IPs addresses OR Lambda for Elasticsearch service.
So, that have access to ES from IPs and that Lambda have access to.
This no working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx",
"xxx"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:eu-central-1:xxx:function:xxx"
}
}
}
]
}
Thanks for help.

Amazon S3 Policy for only PUT,Read and List

I'm trying to create a policy for only read/put/list my bucket and a dir into it.
I've write this policy:
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": [ "s3:Put*", "s3:Get*" ],
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*"
}
]
}
{
"Version": "2014-05-19",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Condition": { "StringLike": { "s3:prefix": "<mydirectoryinbucket>/*"} },
"Resource": "arn:aws:s3:::<mybucket>"
}
]
}
But I get error on the last line of the first policy...the error is only syntax error, and no additional informations.
Where I did wrong ?

You're at the very least missing the principal, which defines the entity that is allowed or denied access to a resource.
I took your policy, added the wildcard * to denote 'any' principal, and regenerated it with the IAM Policy Generator. Try this:
{
"Id": "Policy1432045314996",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicGetAndPutPolicy",
"Action": [
"s3:Get*",
"s3:Put*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>/<mydirectoryinbucket>/*",
"Principal": "*"
},
{
"Sid": "PublicListPolicy",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<mybucket>",
"Condition": {
"StringLike": {
"s3:prefix": "<mydirectoryinbucket>/*"
}
},
"Principal": "*"
}
]
}
Documentation:
Specifying a Principal in a Policy