I participated in the Builders' Session for creating IAM policy, so this is report on that session.
Overview
Anyone who builds on AWS should understand how to build effective IAM policies. In this session, learn the requirements for security controls and walk through the construction of IAM policies that implement those controls. See which policy types are most appropriate for each control, and walk away with some real-life examples of IAM policies that you can take back to your organization.
Report
Agenda
Since there are four scenarios prepared, we will create IAM policies to implement controls. After creating them, we will return to the group and discuss each scenario.
This time, we will launch Cloud9 and test the IAM policies created using the Assessment tool.
This tool will return results when executed after creating policies.
Set up
At first, install the tool to evaluate the created policies.
Open 'AWS Cloud9' in the management console and access the environment prepared for this session.
Download and install the tool.
$ curl 'https://static.us-east-1.prod.workshops.aws/public/a8b77c64-5ab8-49a3-8751-ba7d5351e107/assets/eval_policy-0.0.33-py3-none-any.whl' --output eval_policy-0.0.33-py3-none-any.whl
pip install eval_policy-0.0.33-py3-none-any.whlScenario 1 Allow access to resources for all principals within the organization
Policy
Create a policy allowing s3:GetObject for all principals to all objects in a specific bucket.
Values used in policies
- AWS Organizations organization ID: o-123456
- Bucket name: MY-BUCKET
- Account: 111111111111
- Action: s3:GetObject
Created policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY-BUCKET/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgId": "o-123456"
}
}
}]
}After creating the policy, executing a command allows you to evaluate the created policy.
$ eval-policy --step 1 --policy policy1.json
This was done relatively quickly.
Scenario 2 Protecting platform resources with Service Control Policies
Policy
Create a Service Control Policy to deny the execution of all actions on resources with a tag where the key is team and the value is admin. Only principals with the tag key of team value of admin should be allowed to perform any actions on tagged resources.
Values used in policies
- Tag on resources to protect: Key: team Value: admin
- Tag on principals that are exempt: Key: team Vaue: admin
- Resource: all resources
- Action: all actions
Created policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/team": "admin"
},
"StringNotEquals": {
"aws:PrincipalTag/team": "admin"
}
}
}
]
}
Scenario 3 Limit the types of EC2 instances that can be launched with identity-based policies
Policy
If the instance type is 't3.small', allow launching EC2 instances. Create an IAM policy that denies launching instances for any other instance types.
Values used in policies
- Allowed instance type: t3.small
- Action: ec2:RunInstances
Created policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t3.small"
}
}
}
]
}
This was a familiar policy content, so I was able to create it quickly. In the session, they introduced how to write policies similar to the ones in the screenshot.
Scenario 4 Prevent untrusted principals from using an AWS service as a confused deputy
Policy
Create a policy to enable an SNS topic to receive notifications from an S3 bucket.
We need to allow the AWS service principal s3.amazonaws.com to publish messages to the SNS topic. We need to prevent other AWS accounts from using the s3.amazonaws.com service as a confused deputy to publish messages to your topic.
Values used in policies
- Service: s3.amazonaws.com
- Action: sns:Publish
- Region: us-east-1
- Topic name: MyTopic
- Account that the SNS topic is in: 111111111111
- Account that you want to receive notifications from: 111111111111
- S3 bucket that you want to receive notifications from: MY-BUCKET
Created policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:MyTopic",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:s3:::MY-BUCKET"
},
"StringEquals": {
"aws:SourceAccount": "111111111111"
}
}
}]
}
Conclusion
I decided to participate because I thought it would be a good opportunity to relearn IAM. I tried to create it while looking at the hints, but it was quite difficult. I'm glad I participated as they introduced IAM policies through practical scenarios.
Resources
9
