AWS - Policy Catalog
Updated at 2015-10-03 12:03
AWS has Root User, IAM Users, Groups, Roles and Policies.
- Policy: a set of permissions and restrictions. Users, groups and roles can all have policies.
- Inline Policy: one-off policy that only exists for the entity it's initially defined for.
- Managed Policy: a shared policy that can be attached to multiple entities and have versioning; there are AWS managed policies and customer managed policies.
- User: people or applications, they belong to groups and can have individual policies.
- Role: AWS resources like EC2 instances cannot be users, they have a role. Role allows the resource to fetch temporary user-like credentials. These are static per resource and usually requires to recreate the resource to change what role they have, but you can always change the role permissions if they are configured well enough.
- Group: users can be place in groups so they share privileges.
Root user IAM user IAM role
Can have permissions yes, always all yes yes
Can have a password yes, always yes no
Can has an access key yes, but avoid yes no
Can be in a group no yes no
Can be given to EC2 no no yes
User A and User B are two IAM users, they can even be on different AWS accounts.
User A has privileges X.
User B has no privileges.
User A creates IAM role, Role 1, with privileges Y, a subset of X.
User A allows User B to assume the role of Role 1.
User B progmatically assumes the role of Role 1, thus gains privileges X.
The Sid (statement ID) is an optional identifier that you provide for each the policy statement. The Sid value must be unique within a policy. Just helps you to get particular statement in a policy. But some AWS services require it e.g. SQS and SNS.
ARN syntax overview:
arn:aws:ec2:us-west-2:012345678901:instance/i-abcd123
arn:aws :ec2 :us-west-2:012345678901 :instance /i-abcd123
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE>
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE_TYPE>/<RESOURCE>
arn:<PARTITION>:<SERVICE>:<REGION>:<AWS_ACCOUNT_ID>:<RESOURCE_TYPE>:<RESOURCE>
Note that some resources don't need region (IAM, S3) or account number (S3).
They you just omit the value e.g.
arn:aws:iam::123456789012:root
arn:aws:s3:::bucket-name
Avoid using IAM users to control EC2 instance privileges. Use IAM roles instead, they are a lot safer. Sometimes you have to use them e.g. on non-EC2 servers like Heroku.
Here are some common policies:
See and get S3 bucket contents.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Full S3 content manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"s3:Put*",
"s3:Get*",
"s3:Delete*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Non-destructive EC2 moderator.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": [
"arn:aws:ecs:us-west-1:<AWS_ACCOUNT_ID>"
]
}
]
}
CloudWatch Logging.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-1:<AWS_ACCOUNT_ID>"
]
}
]
}
SQS usage for an app.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-west-1:<AWS_ACCOUNT_ID>:<QUEUE_NAME_ONE>",
"arn:aws:sqs:us-west-1:<AWS_ACCOUNT_ID>:<QUEUE_NAME_TWO>"
]
}
]
}