Advanced Roles and Groups Management Using IAM
There is no substitute for experience, and our Hands-on Labs simulate real-world situations and scenarios providing an environment specifically des...Learn More
Welcome to part six of our AWS Security Series. Last week I introduced Identity & Access Manager (IAM) and how you can control access to resources by using the predefined user, group, and role policy templates created and designed by AWS. This week, I want to show you how you can create your own custom IAM policy in the form of a JSON script and test it using the AWS Policy Simulator.
This article will cover the main elements, syntax, and structure of an IAM policy, and different ways to create your own IAM policy. Using a predefined IAM policy is more likely than not a perfect match for the permissions you actually need. However, now and again, you may want to tweak a small part of it to more exactly fit your requirements. Remember, when it comes to security, the more precisely you can define your controls, the better. You should avoid being lazy and deploying implementations that are “close enough” rather than hand crafting the perfect fit.
An IAM Policy is a JSON script made up of statements following a set syntax for allowing or denying permissions to an object within your AWS environment.
Each policy has to have at least one statement whose structure might look like this:
The ‘Effect’ element can be set to either ‘Allow’ or ‘Deny’. These are explicit. By default, access to your resources is denied and so therefore if this is set to ‘Allow’ it replaces the default ‘Deny’. Similarly, if this were set to ‘Deny’ it would override any previous ‘Allow’. The ‘Action’ Element corresponds to API calls to AWS Services that authenticate through IAM. For example, this example represents API calls to delete a bucket (the action) within S3 (the service):
You are able to list multiple actions, if required, by using a comma to separate them:
Wildcards (*) are also allowed. So, for example, you could create an action to carry out all APIs relating to S3, such as:
The ‘Resource’ element specifies the actual resource you wish the permission to be applied to. AWS uses unique identifiers known as ARNs (Amazon Resource Name) to specify resources. Typically ARNs follow a syntax of:
The ‘Condition’ element of the IAM Policy is an optional element that allows you to specify when the permissions will be activated based upon set conditions. Conditions use key value pairs, and all conditions must be met for the permissions to be activated. Here’s a full listing of these conditions.
Now we have a basic understanding of how JSON scripts are put together and their general flow, let’s see how we can modify existing policies to tweak them to your needs.
There will be times when you may not need to create a policy completely from scratch. You may be able to get away with adapting one that already exists. This can potentially save you a lot of time and effort. Open up your AWS console and select ‘IAM > Policies > Create Policy’. You will be presented with these three options:
For this example, select “Copy an AWS Managed Policy”.
You will then be shown a list all existing AWS managed policies, and there are a LOT! You can narrow your search by using the search function at the top of the page. For this example, I am going to search for S3 policies.
I will select the “AmazonS3FullAccess” IAM policy with the goal of modifying it to only allow full access to a specific bucket (cloudacademyblog).
Once selected, it displays the following JSON policy:
After reviewing this policy, I am happy with the ‘Effect’ and ‘Action’ elements, however I want to modify the ‘Resource’ section, which is currently set to “all” with the * wildcard. I will add the ARN for a specific bucket called ‘cloudacademyblog’. To do this, all I need to do is edit the policy and change the ‘Resource’ line to:
Once edited, I can give the policy a meaningful name and click Save. This policy will now appear in your list of the policies you can assign to your groups and users. Once assigned, it’s always a good idea to test your policy via the simulator by clicking on Simulate Policy.
This will load the policy simulator for the policy I just created:
This shows the policy’s JSON script on the left and, on the right hand side, I can select specific Services and Actions. The image below shows that I have selected ‘S3’ as the Service and ‘Create Bucket’ and ‘Delete Bucket’ as the Actions. I have also added the ARN for the cloudacademyblog bucket in the ‘Resource Type’ field.
Once all the information you want to test is there, click ‘Run Simulation’
The simulator results show that this IAM policy allows those actions to be carried out on the cloudacademyblog bucket. To confirm these actions are not possible on other buckets, I ran the following simulation with the ‘Resource’ set to all (checking all buckets) with the * wildcard:
As you can see, this was denied by the policy as the policy only states that we have full access to the arn:aws:s3:::cloudacademyblog bucket.
If you do not yet feel confident enough to edit existing policies, then AWS provides the IAM Policy Generator. From with the AWS Console select ‘IAM > Policies > Create Policy’ and this time select ‘Policy Generator’.
From here, via drop down boxes, you can select the Effect, Service, Action, and Resource. Additionally, if required, you can also set up conditions. Once all your options are set, click the ‘Add Statement’ button.
The image below shows that I have simply replicated the IAM policy I created in the last section, but this time via the Policy Generator:
When you are happy with your new IAM policy, select ‘Next Step’. From there, you can give your new IAM policy a name and description, and view it as a JSON script. Click ‘Create Policy’ and then attach it to any groups or users as needed.
If you’re ready to write your own IAM policy from scratch, there’s nothing stopping you. From the AWS Console, select ‘IAM > Policies > Create Policy’, and this time select ‘Create your own policy’.
Here you are presented with a blank canvas allowing you to give your policy a name and description…but most importantly, a blank policy document where you can write your JSON document adhering to the policy syntax rules discussed at the beginning of this article.
Once you are happy with your policy, use the ‘Validate Policy’ button at the bottom to determine if there are any errors with your policy. Again, when you are finished click ‘Create Policy’.
As you can see there are a number of methods available to help you refine your IAM policies, and you aren’t forced to use predefined policies. Once you get used to the syntax – and benefits – of writing your own policies, you will be able to effectively and efficiently lock down access to your resources to ensure they are only accessed by authorized API calls.
There are many, many specific commands that can be controlled through an IAM policy, but they’re a bit beyond the scope of this post. AWS provides great API listings for the different services through their extensive documentation for advanced policy writers.
In my next AWS Security article, I will be taking a look at Federated access with IAM, Trusted Advisor, AWS Billing restrictions and AWS Linked accounts. Until then I hope you all have a Happy New year!
Thank you for taking the time to read my article. If you have any feedback please leave a comment below.
Amazon Web Services (AWS) offers three different ways to pay for EC2 Instances: On-Demand, Reserved Instances, and Spot Instances. This article will focus on effective strategies for purchasing Reserved Instances. While most of the major cloud platforms offer pre-pay and reservation dis...
If you’re building applications on the AWS cloud or looking to get started in cloud computing, certification is a way to build deep knowledge in key services unique to the AWS platform. AWS currently offers 11 certifications that cover major cloud roles including Solutions Architect, De...
The AWS Solutions Architect - Associate Certification (or Sol Arch Associate for short) offers some clear benefits: Increases marketability to employers Provides solid credentials in a growing industry (with projected growth of as much as 70 percent in five years) Market anal...
Moving data to the cloud is one of the cornerstones of any cloud migration. Apache NiFi is an open source tool that enables you to easily move and process data using a graphical user interface (GUI). In this blog post, we will examine a simple way to move data to the cloud using NiFi c...
Amazon DynamoDB is a managed NoSQL service with strong consistency and predictable performance that shields users from the complexities of manual setup.Whether or not you've actually used a NoSQL data store yourself, it's probably a good idea to make sure you fully understand the key ...
As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing.As the market leader and most ma...
Learn how Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway.Deploying any next generation firewall in a public cloud environment is challenging, not because of the f...
Use AWS Config the Right Way for Successful ComplianceIt’s well-known that AWS Config is a powerful service for monitoring all changes across your resources. As AWS Config has constantly evolved and improved over the years, it has transformed into a true powerhouse for monitoring your...
Cloud Academy is a proud sponsor of the 2019 AWS Summits in Atlanta, London, and Chicago. We hope you plan to attend these free events that bring the cloud computing community together to connect, collaborate, and learn about AWS. These events are all about learning. You can learn how t...
The AWS cloud platform has made it easier than ever to be flexible, efficient, and cost-effective. However, monitoring your AWS infrastructure is the key to getting all of these benefits. Realizing these benefits requires that you follow AWS best practices which constantly change as AWS...
Amazon Web Services’ resource offerings are constantly changing, and staying on top of their evolution can be a challenge. Elastic Cloud Compute (EC2) instances are one of their core resource offerings, and they form the backbone of most cloud deployments. EC2 instances provide you with...
Before migrating domains to Amazon's Route53, we should first make sure we properly understand how DNS worksWhile we'll get to AWS's Route53 Domain Name System (DNS) service in the second part of this series, I thought it would be helpful to first make sure that we properly understand...