Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})
Related
I need the permissions to pass an execution role to a Lambda when I create a CF.
So I have given the role used for creating the CF this:
Effect: Allow
Action:
- iam:PassRole
Resource:
- "myexecutionrole"
So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target.
Is that I want possible and how?
You could use iam:AssociatedResourceArn. From docs:
Specifies the ARN of the resource to which this role will be associated at the destination service.
I am attempting to create an autoscaling group for my EC2 instances. These instances are encrypted by custom key, so I need to be able to inject a policy that allows the read of said key to the autoscaling group.
I decided to utilize the ServiceLinkedRoleARN: property of the AutoScalingGroup and create new autoscale role that would have all the necessary permissions.
Unfortunatelly, the properties of IAM::ServiceLinkedRole (SLR) do not offer policy inputs (unlike standard roles):
Type: AWS::IAM::ServiceLinkedRole
Properties:
AWSServiceName: String
CustomSuffix: String
Description: String
and so far I was unable to find a solution for this. If there is no way to modify the policies of SLR, I even fail to see a reason for allowing to create our own SLR so I imagine there has to be a reason for that.
Can you please help with how to resolve my problem? My company mandates that I use CloudFormation for that so no console adjustments are possible, but using the custom SLR is not necessary, it just felt like the cleanest solution for me.
You can't modify service-linked role for Auto Scaling:
With the AWSServiceRoleForAutoScalingPlans_EC2AutoScaling role created by AWS Auto Scaling, you can edit only its description and not its permissions.
However, the KMS permissions should be added to your instance role, not service-linked role for Auto Scaling. So you have to change the role associated with your AWS::IAM::InstanceProfile.
Below is the policy template created to restrict any Principal to do only below actions:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
on a policy resource that starts with name xyz-lambda-.
This policy is assigned to EC2 host, with a role.
Does this policy name(like xyz-lambda-*) supposed to be already exist in AWS, before uploading this policy in AWS?
No, when you are specifying resource in your policy document, that resource doesn't need to exists at all.
If you take into consideration this action
iam:CreatePolicy
together with your resource, what it does is that it grants necessary permissions to create policy with that particular name xyz-lambda-*. It wouldn't make much of sense to require existence of such resource if the policy is granting permissions to create it in the first place.
When you consider the delete action
iam:DeletePolicy
if the resource doesn't exist then it does nothing. Once you create policy with the appropriate name, you will be able to delete it but it doesn't matter whether the policy existed before this ManagedPolicy was created or after or you have deleted and recreated policy with such name any number of times.
Lastly, since you have stated that this policy is attached to EC2 role then it should work without errors. But I would still recommend to grant iam:ListPolicies permission for any resource (policy) discovery that could be performed by an application running on EC2 instance. If you don't allow this action in your policy, your application will not be able to list policies and you would have to design some error prone workaround based on guessing or a strict naming scheme.
Policy name is not important. Resources unique by ARN only. IAM Resources unique within AWS account an if u don't create this resource before it's ok
For every project, we create two AWS accounts. One for development and staging and one for production. The developers have an IAM user in the root account and users assumed roles in the other accounts to access those.
I want to create a policy, which allows the developer to do nearly everything in the development account, including creating new policies and attaching those (for new resources, etc.), but the developer should not be able to modify his own role / attach new roles to himself.
Any ideas?
I'm facing the same issue I've already posted a question about that here (similar issue).
After a lot of research, I came to a conclusion: do not allow developers to create roles and policies.
Why?
I didn't find a way to answer my question allowing user creating roles only for resources and not for principals.
Even if I've found a solution for 1., there is a flaw: suppose developers can create roles for resources but not for principals and he (she) can create every policy he (she) wants. In this scenario, he (she) could create a policy for Lambdas and inside Lambdas, a script could be written to execute actions allowed by policies attached.
My final solution:
Create two groups called Developers and IAM in which IAM users can create any roles and policies, thus is trusted developers, and Developers can only attach policies whose path is services-roles, for instance.
Example a role attached to Developers group - allow users create everything except all iam actions except PassRole with path service-roles:
DevelopersIAMManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: 'Developers.'
# Groups:
# - String
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: iam:PassRole
Resource: 'arn:aws:iam::*:role/projects-roles/*'
- Effect: Allow
NotAction: iam:*
Resource: '*'
I'm open to new ideas, but this solution is the most secure I've reached.
I want to attach an AWS managed Role to my EC2 instance in CloudFormation. Here for I need to attach the managed role to an instance profile and attach the instance profile to the EC2.
How can I attach the managed role to the instance profile?
I tried:
ASGIAMInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: asg-instance-profile
Roles:
- AWSServiceRoleForAutoScaling
But I got:
Cannot perform the operation on the protected role 'AWSServiceRoleForAutoScaling' - this role is only modifiable by AWS (Service:
I know I can recreate a comparable role and attach it to an instance profile but that seems a bit overkill.
The only "managed roles" are service-linked roles. These are special roles that are directly attached to a service itself and cannot be attached to other entities.
You can, however, associate a Managed Policy with roles. These are the policies shown in the "Policies" section of the IAM management console.