I'd like to grant a group read-only access to an entire SWF domain. The users in this group will be able to see all workflow instances and the events / activities history of each workflow. They will not be able to create workflows, activities, or start workflows.
Can someone post an example of what the policy document JSON for this would look like?
You can start with AWS Policy Generator
So follow the wizard, I generate the policy with all list Actions, which you can add/delete depend on your own request.
{
"Statement": [
{
"Sid": "Stmt1420410404486",
"Action": [
"swf:ListActivityTypes",
"swf:ListClosedWorkflowExecutions",
"swf:ListDomains",
"swf:ListOpenWorkflowExecutions",
"swf:ListWorkflowTypes"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Related
I created an IAM Identity Center permission set and group. The permission set attached to the group only allows the users inside the group to view CloudWatch logs generated by a specific account (our Crypto account), the statement looks like this:
Note: The statement with the ID "DescribeCryptoTrail" limits the user to only view logs from our Crypto account.
"Statement":
{
"Sid": "DescribeCryptoTrail",
"Action": "logs:GetLogEvents",
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
}
This works well since the user gets a permission denied error when he tries to view logs from a different account, but now my concern is how do I limit access to the queries the users can return in CloudWatch Logs Insights? For example, the users in the Crypto-Access group should only be able to return queries that were generated by the Crypto account.
So far, I have tried using statements such as:
{
"Sid": "AdditionalPermissions",
"Action": [
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
]
},
{
"Sid": "AdditionalPermissionsTwo",
"Action": [
"logs:DescribeQueryDefinitions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
]
}
This is a similar approach as to what worked for granting access to the CloudWatch logs, but this time it seems I need to grant access to the entire log group judging from the error:
not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:* because no identity-based policy allows the logs:FilterLogEvents action
This indicates that I need to provide access to the main log group, I can't limit it to a specific path in the log group.
Is there any other way I can force query results based on the IAM policy, or maybe a way I can require a user to include a filter in the query such as filter recipientAccountId = "CRYPTO-ACCOUNT-ID"
Thanks in advance
I want to create an IAM policy that only allows access to the development and staging RDS instances I have running. This policy will be attached to a user group so that all its users can only read / write to the development and staging instances and not view any details or connect to the production instance.
I have created a test user that is a part of the above mentioned user group for testing out this policy, but it's allowing me to view / alter all db instances I have in RDS right now, including the production instance.
Below is the JSON for IAM policy.
Any help would be greatly appreciated!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"rds:DescribeDBProxyTargetGroups",
"rds:StartDBCluster",
"rds:RestoreDBInstanceFromS3",
"rds:ResetDBParameterGroup",
"rds:DescribeGlobalClusters",
"rds:ModifyDBProxyEndpoint",
"rds:PurchaseReservedDBInstancesOffering",
"rds:CreateDBSubnetGroup",
"rds:ModifyCustomDBEngineVersion",
"rds:DescribeDBProxyTargets",
"rds:ModifyDBParameterGroup",
"rds:DownloadDBLogFilePortion",
"rds:AddRoleToDBCluster",
"rds:DescribeReservedDBInstances",
"rds:CreateDBSnapshot",
"rds:CreateEventSubscription",
"rds:DescribeDBClusterBacktracks",
"rds:FailoverDBCluster",
"rds:AddRoleToDBInstance",
"rds:ModifyDBProxy",
"rds:CreateDBInstance",
"rds:DescribeDBInstances",
"rds:DescribeDBProxies",
"rds:ModifyActivityStream",
"rds:DescribeDBProxyEndpoints",
"rds:StartDBInstanceAutomatedBackupsReplication",
"rds:ModifyEventSubscription",
"rds:DescribeDBSnapshotAttributes",
"rds:ModifyDBProxyTargetGroup",
"rds:RebootDBCluster",
"rds:ModifyDBSnapshot",
"rds:ListTagsForResource",
"rds:CreateDBCluster",
"rds:ApplyPendingMaintenanceAction",
"rds:BacktrackDBCluster",
"rds:RemoveRoleFromDBInstance",
"rds:ModifyDBSubnetGroup",
"rds:FailoverGlobalCluster",
"rds:DescribeDBInstanceAutomatedBackups",
"rds:RemoveRoleFromDBCluster",
"rds:CreateGlobalCluster",
"rds:DeregisterDBProxyTargets",
"rds:CreateOptionGroup",
"rds:CreateDBProxyEndpoint",
"rds:AddSourceIdentifierToSubscription",
"rds:CopyDBParameterGroup",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBInstance",
"rds:RegisterDBProxyTargets",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:CopyDBClusterParameterGroup",
"rds:CreateDBClusterEndpoint",
"rds:StopDBCluster",
"rds:CreateDBParameterGroup",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSecurityGroups",
"rds:RemoveFromGlobalCluster",
"rds:PromoteReadReplica",
"rds:StartDBInstance",
"rds:StopActivityStream",
"rds:RestoreDBClusterFromS3",
"rds:DescribeValidDBInstanceModifications",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:ModifyDBClusterEndpoint",
"rds:ModifyDBCluster",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBClusterParameterGroup",
"rds:ModifyDBSnapshotAttribute",
"rds:PromoteReadReplicaDBCluster",
"rds:DescribeOptionGroups",
"rds:ModifyOptionGroup",
"rds:RestoreDBClusterFromSnapshot",
"rds:DescribeDBSubnetGroups",
"rds:StartActivityStream",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeDBParameterGroups",
"rds:StopDBInstanceAutomatedBackupsReplication",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:RevokeDBSecurityGroupIngress",
"rds:DescribeDBParameters",
"rds:ModifyCurrentDBClusterCapacity",
"rds:ResetDBClusterParameterGroup",
"rds:RestoreDBClusterToPointInTime",
"rds:CreateCustomDBEngineVersion",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterParameters",
"rds:DescribeEventSubscriptions",
"rds:CopyDBSnapshot",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBLogFiles",
"rds:StopDBInstance",
"rds:CopyOptionGroup",
"rds:SwitchoverReadReplica",
"rds:CreateDBSecurityGroup",
"rds:RebootDBInstance",
"rds:ModifyGlobalCluster",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeOptionGroupOptions",
"rds:DownloadCompleteDBLogFile",
"rds:DescribeDBClusterEndpoints",
"rds:CreateDBInstanceReadReplica",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterParameterGroups",
"rds:RestoreDBInstanceToPointInTime"
],
"Resource": [
"arn:aws:rds:us-east-2:<ACCOUNT_NUMBER>:db:development",
"arn:aws:rds:us-east-2:<ACCOUNT_NUMBER>:db:staging"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBClusters"
],
"Resource": "arn:aws:rds:*:<ACCOUNT_NUMBER>:db:*"
},
]
}
There are two different elements to consider:
Ability to 'use' the database
Ability to 'manage' the database
You have said that users "are authenticating via database credentials", so this access is controlled totally within the database and is unrelated to any IAM policies.
Typically, businesses use different AWS Accounts to separate Production from other environments. This avoids accidents and ensures that services are deployed and maintained in a reproducible manner (rather than via changes from random people). If you are keeping both Dev & Prod in the same AWS Account, then you will need to be very careful about how permissions are granted.
It is not possible to limit the listing of databases. A user either has permission to list ALL databases, or NONE of the databases.
I would like to add an image upload possibility for my users.
So far I've followed a simple YouTube tutorial and created a new bucket with the following Bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1578265217545",
"Statement": [
{
"Sid": "statement-1",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/images/*"
}
]
}
And the following CORS policy:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"PUT",
"POST",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]
I've also created an IAM user, and attached the following policy to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:Get*",
"s3:Delete*"
],
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}
I got my access and secret keys that I successfully used to upload/delete files – success.
I have a strong feeling, the above policies are not really secure at this moment (e.g. I'm planning to make the CORS policy more strict, by only allowing the bucket to be accessed from a certain domain).
My main question now is – How can I make sure that if user A uploads his image, no other user (until allowed) can access it?
I think this would be possible if each user of the application has an IAM user account in AWS. Then you could have restrict the images using the corresponding AWS IAM user. But I believe this is probably not the case.
Something better would be, instead of accessing the images directly on AWS, access the images via your application. You could have a table storing the image path in the bucket on AWS, the corresponding owner(s) and also a flag indicating if the image can be accessed publicly or not.
Then when you need a specific image, you would make a request to your application, which would check if the user making the request is the owner of the image, if yes, the application would download the image from AWS using the AWS S3 SDK and send it over to the user.
This approach will decouple AWS from your end users and your app will be responsible for managing who can access what. Given every request to AWS will pass through your app, there is less risk on compromising the AWS infrastructure in place.
Object tagging and attribute-based access control could be used for conditional access to different objects.
Use case: Application not supporting individual IAM users:
Objects are assigned ownerID tag with id value,
Users are assigned an uuid or their profile has a tag with some kind of id value and
API function used to fetch objects compares object tag and user id/tag and retrieves only objects with matching values
Use case: Application supporting AWS IAM users / SSO users:
Objects are assigned a tag with appropriate value (id,
department, etc),
AWS users are assigned a tag with appropriate value
(id, department etc.),
An IAM role and an access control policy are
created for allowing conditional access depending on tag values
https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html
I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
]
}
]
}
I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..
After I placed the code in JSON editor, in Policy Review step I got this message:
This policy defines some actions, resources, or conditions that do not
provide permissions. To grant access, policies must have an action
that has an applicable resource or condition. For details, choose Show
remaining Learn more
The AWS documentation mention exactly the same configuration or these examples.
I assume you connect as that user in the console (but it would be the same with CLI) Here is what I think is happening:
To list all the instances, the console most probably calls the DescribeInstances API. As per the list of action/resources/tags that can be used in IAM policy, this API does not support the resource filter in IAM.
This means your user has no authorization to list instances and they will not be shown in the console. You can validate this theory by using the CLI to request the details of a specific instance id, if my hypothesis is correct, it will be authorized.
As DescribeInstances can not be restricted by resource or tags, I don't think it is possible to filter the instance list for a user.
To have the console working, you'll need to add the following statement in your IAM policy
"Statement": [
{ your existing statement },
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
Please report if I was right :-) The example you mentioned in your question shows exactly that : Resources = * on DescribeInstances and Resources specific InstanceId on other operations.
The previous answer is wrong, you can Conditionally allow access to ec2:DescribeInstances by tag names. It's an AWS best practice as well. Also explicitly deny access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags to take control of the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
DescribeInstances action does not support condition.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
I have tried to limit access to a VPC without success. Maybe approaching the issue from the other side is a better idea, but I can't get that to work either.
I have tried:
Limit by tags as shown here:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/client": "<client>"
}
}
}
]
}
Limit by VPC as suggested here:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1508450090000",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": [
"arn:aws:ec2:<region>:<account>:subnet/*"
],
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:<region>:<account>:vpc/<vpc_id>"
}
}
}
]
}
Both policies result in not even listing any instances, see screenshot.
This seems to be a very obvious and commonly needed policy to me.
Any help is appreciated.
According to the documentation: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html#readonlyvpciam
The following policy grants users permission to list your VPCs and
their components. They can't create, update, or delete them.
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeInternetGateways",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeNatGateways",
"ec2:DescribeCustomerGateways",
"ec2:DescribeVpnGateways",
"ec2:DescribeVpnConnections",
"ec2:DescribeRouteTables",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkAcls",
"ec2:DescribeDhcpOptions",
"ec2:DescribeTags",
"ec2:DescribeInstances"],
"Resource":"*"
}
]
}
Further, if you have multiple VPCs that you do not want them to even see, perhaps you should consider creating a sub-account with only the portion of your network that they should have visibility across:
Setup Consolidated Billing
As a first step, log into your AWS account and click the "Sign up for Consolidated Billing" button.
Create a new account
From a non-logged in browser, you will then want to sign up again to AWS again like this:
Give this new account the appropriate name for your client. Note the email address you signed up with.
Link the accounts
In your main account, head back to ConsolidatedBilling and click the Send a Request button. Provide the email address for your new sub-account.
You should receive an email to the email address for your new sub-account. Copy the activation link and paste it into your browser logged in to the sub-account.
Your accounts are now linked!
Create your clients VPC and enable the services that the client requires.
Next, you can create the VPC & services the client requires, and restrict their access via the policy above.
You cannot restrict Describe* calls in the manner you want.
Calls that create resources can be restricted (eg give permission to launch an instance in a particular VPC), but calls that list resources cannot be restricted.
If you require the ability to prevent certain users from listing resources, then you'll either need to build your own front-end that filters the information before presenting it to users, or use multiple AWS accounts since they are fully isolated from each other.