ruk·si

☁️ AWS
Policy Catalog

Updated at 2015-10-03 15:03

AWS has Root User, IAM Users, Groups, Roles and Policies.

  • Policy: a set of permissions and restrictions. Users, groups and roles can all have policies.
  • Inline Policy: one-off policy that only exists for the entity it's initially defined for.
  • Managed Policy: a shared policy that can be attached to multiple entities and have versioning; there are AWS managed policies and customer managed policies.
  • User: people or applications, they belong to groups and can have individual policies.
  • Role: AWS resources like EC2 instances cannot be users, they have a role. Role allows the resource to fetch temporary user-like credentials. These are static per resource and usually requires to recreate the resource to change what role they have, but you can always change the role permissions if they are configured well enough.
  • Group: users can be place in groups so they share privileges.
                        Root user           IAM user        IAM role
Can have permissions    yes, always all     yes             yes
Can have a password     yes, always         yes             no
Can has an access key   yes, but avoid      yes             no
Can be in a group       no                  yes             no
Can be given to EC2     no                  no              yes
User A and User B are two IAM users, they can even be on different AWS accounts.
User A has privileges X.
User B has no privileges.
User A creates IAM role, Role 1, with privileges Y, a subset of X.
User A allows User B to assume the role of Role 1.
User B progmatically assumes the role of Role 1, thus gains privileges X.

The Sid (statement ID) is an optional identifier that you provide for each the policy statement. The Sid value must be unique within a policy. Just helps you to get particular statement in a policy. But some AWS services require it e.g. SQS and SNS.

ARN syntax overview:

arn:aws:ec2:us-west-2:012345678901:instance/i-abcd123
arn:aws        :ec2     :us-west-2:012345678901    :instance       /i-abcd123
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE>
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE_TYPE>/<RESOURCE>
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE_TYPE>:<RESOURCE>

Note that some resources don't need region (IAM, S3) or account number (S3).
They you just omit the value e.g.
arn:aws:iam::123456789012:root
arn:aws:s3:::bucket-name

Avoid using IAM users to control EC2 instance privileges. Use IAM roles instead, they are a lot safer. Sometimes you have to use them e.g. on non-EC2 servers like Heroku.

Here are some common policies:

See and get S3 bucket contents.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

Full S3 content manager.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "s3:Put*",
                "s3:Get*",
                "s3:Delete*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

Non-destructive EC2 moderator.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ecs:us-west-1:<AWS_ACCOUNT_ID>"
            ]
        }
    ]
}

CloudWatch Logging.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-west-1:<AWS_ACCOUNT_ID>"
            ]
        }
    ]
}

SQS usage for an app.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "arn:aws:sqs:us-west-1:<AWS_ACCOUNT_ID>:<QUEUE_NAME_ONE>",
                "arn:aws:sqs:us-west-1:<AWS_ACCOUNT_ID>:<QUEUE_NAME_TWO>"
            ]
        }
    ]
}