How to give access to a IAM user to only access resources created by Elastic bean, i.e. The S3 bucket and the EC2 instances. The user should not be able to access any other S3 bucket or EC2 instance not created with Elastic Beanstalk.
The same policy should apply to EC2 instances created automatically via the Auto Scaling policy.
You can go with the "tags" approach. You can set elasticbeanstalk and autoscaling launch configuration to create instances with a predefined "tags" . And you can allow users to see only this tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/department": "dev"}}
}
]
}
There could be better approaches, we should wait and see other responses.
best,
Related
I want to export data from DocumentDB compatible with MongoDB as source in account A to S3 as target in Account B in AWS.
Can I achieve this by vpc peering and what else do I have to do for cross account DMS from DocumentDB to S3
That kind of depends on where your replication instance lives.
If you place the replication instance in the same VPC as the DocumentDB, you won't even need VPC Peering.
Just set up the security groups to allow the replication instance to reach your DocumentDB and set it up as a Source Endpoint.
Assuming the replication instance has internet access or you've configured an S3 VPC endpoint, you can set up the S3-Bucket as a target. The role you configure when setting up the target, needs to have access to the S3 bucket.
Sample policy you can attach to the target role from the documentation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::buckettest2/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::buckettest2"
]
}
]
}
The bucket in the target account needs to have a bucket policy that allows the same actions from the role in the source account. The policy will be almost identical, except that you also need to add the principal.
I am trying to create an IAM Managed Policy to assign to QA users that will give them readonly access to a specific DBCluster, the QA cluster.
So far I haven't been able to limit the access to the specific cluster, I can only get it to work if the Resource tag is set to all
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:ListTagsForResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeQADatabase"
}
]
}
I've tried changing the Resource tag to my specific DBCluster ARN, but when I do that nothing shows in the RDS page in the AWS Console
Side question, if I look at the AWS Provided AmazonRDSReadOnlyAccess I see that it gives access to a bunch of other AWS Resources like ec2 instances. Is there a document/resource I can use that will basically tell me all the dependencies I will need if I want to give access to a specific resource?
I'm looking for some advice on best practices managing an AWS Elastic Beanstalk application.
I have an app with 2 different environments which I refer to as prod and dev. I would like to allow deployments to the dev env to all collaborators and limit deployment to prod to only one user.
What is the best way to do that?
ElasticBeanstalk tightly integrates with IAM.
Allowing or Denying a user a specific action on a specific resource can be achieved by attaching the correct policy to the role being assumed.
The ElasticBeanstalk docs have a specific section explaining IAM permissions in EB, and the last example on the page is effectively what you’re looking for. Modify the policy shown to your needs and attach it to the users or groups of users you wish to deny access to the production environment.
Your policy is going to look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"elasticbeanstalk:CreateApplication",
"elasticbeanstalk:DeleteApplication"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteApplicationVersion",
"elasticbeanstalk:DeleteConfigurationTemplate",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/Test/Test-env-prod"
]
}
]
}
The above policy is going to prevent any user with this policy attached from Creating or Deleting any applications, and it's further going to deny the user from completing any of the listed actions on the resource ARN listed; the app named Test and the environment named Test-env-prod.
To restrict access to the specific environment you could use this policy and modify the ARN's region (us-east-1), account-number (123456789012), app-name (Test), and environment-name (Test-env-prod), to your specific needs.
You can find a list of ElasticBeanstalk resource ARN formats here.
I have an S3 bucket with confidential data.
I added a bucket policy to allow only a limited set of roles within the account. This stops other user from accessing the s3 bucket from console.
One of the allowed roles, say "foo-role" is created for EC2 instances to read the S3 bucket.
Now, even the denied roles can create a VM, assign the "foo-role" to this VM, ssh into this VM and look at the bucket content.
Is there a way that I can prevent other users from assigning the "foo-role" to their EC2 instances.
Add this policy to your IAM Users. This policy will prevent a user from associating or replacing a role to an EC2 instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "DENY",
"Action": [
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation",
"iam:PassRole"
],
"Resource": "*"
}
]
}
Scenario: I have an EC2 instance and a S3 bucket under the same account, and my web app on that EC2 wants access to resources in that bucket.
Following official docs, I created an IAM role with s3access and assigned it to the EC2 instance. To my understanding, now my web app should be able to access the bucket. However, after trials, seems I have to add a allowPublicRead bucket policy like this:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
]
}
Otherwise I got access forbidden.
But why should I use this allowPublicRead bucket policy, since I already granted s3access IAM role to the EC2 instance?
S3 s3:GetObject will only allow access to objects from your ec2 instance and what you want is to access these objects from your web-app which means from your browser, in this case these images/objects will be rendered to user browser and if its a public facing application then you need to assign AllowPublicRead permission as well.