Protecting Web Apps with AWS WAF
AWS Security Hub
The course is part of this learning path
In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Security services currently available in AWS that are relevant to the PAS-C01 exam.
- Understand the purpose of AWS user and identity management
- Identify resources and capabilities for AWS network security
- Understand how to evaluate the security of an AWS environment
- Describe AWS services used to create a comprehensive security solution for SAP deployments
The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Security services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture where I will show you how to create your IAM policies. Let's start by creating an identity-based, customer managed policy, and there are a number of ways to create a customer managed policy, these being, copy an existing AWS Managed Policy. So we can copy an existing policy and then edit that policy to ensure it meets the requirements we need, and this can save us some time.
We can use the Policy Generator, and this allows you to create a customer managed policy by selecting options from a series of dropdown boxes. And we can also create our own policy. So if you're proficient in JSON and the syntax of IAM policy writing, then you can write your own policies from scratch or paste in a JSON policy from another source. So I now want to give you a quick demonstration on how to create a policy in each of these three ways. And the demonstration will include, how to create a customer managed policy by editing an existing AWS managed policy, how to create a customer managed policy using the Policy Generator, and how to create a customer managed policy from scratch. So let's take a look.
Okay, so I've logged into my AWS Management Console, and I'm at the IAM dashboard, and I've gone into Policies. So from here, we can create a number of different IAM policies. And the first method I'm going to show you is how to copy and import an existing AWS managed policy to create your own, if you need to make a few changes to it. So let's go ahead and do that now. So from here, we need to go across to Create Policy.
Now, from here, we have an option on the top right here called Import Managed Policy, and that's what we want to do. I want to import an AWS managed policy and then make a couple of small changes to it. So if I select Import Managed Policy and then find the policy that I want to find. So let's, for example, look at AmazonS3FullAccess, import that, and we can see here that it's imported the data. And if we look at the JSON tab, we can actually see the JSON format of that policy, and from here, we can directly make changes.
So for this quick demonstration, I want to copy this existing policy, but instead of allowing any resource, I want to specify my own resource for this, which will mean instead of this policy being, allow full access to Amazon S3, it allow full access to a specific bucket on Amazon S3. So let me go ahead and make those changes now. So I'm gonna change the asterisks from Resource and put in my own specific ARN of a bucket. So now, I've changed the resource to my own ARN.
So now, all I need to do is click on Next, go to Tags, and I can add any optional tags if I want. I'm just gonna leave that blank for this demonstration. Go across to Review, and here I can give this new policy a name. So I can call it S3FullAccessToMyBucket. And description, this allows full S3 access to ca-bucket-uk. And it gives you a summary of the policy here. So we can see the service that it's using, the access level, and also the resource. Once we're happy with that, we can simply click on Create Policy. And we can see that that policy has now been created.
Now, if we have a look at that policy, just by clicking on it there, it'll take us straight to it, and we can see the JSON version of the policy. So that's a very quick and easy way if you want to save yourself some time by copying existing S3 managed policies that are already there. Now, I chose a fairly simple policy just for demonstration, but there are some quite complex policies that AWS already have that you might need to just tweak a few changes to so you can simply import those existing managed policies, make your changes, and then save it as a new customer managed policy.
Okay, so that's the first method covered. Now, next, I want to show you how to create a policy using something called the AWS Policy Generator. Now, if you simply go to Google and type in the AWS Policy Generator, then it'll come up straight away, and you'll be brought to a page like this. Now, the actual URL of this Policy Generator, if you'd prefer to type it in, is awspolicygen.s3.amazonasw.com/policygen.html. So this is a Policy Generator, and it allows you to easily create different types of AWS policies.
So if we look at this drop down list here, we can create an SQS policy, an S3 bucket policy, which, as we know, is a resource-based policy, a VPC endpoint policy, an IAM policy, and an SNS topic policy. We're interested in the IAM policy. So if we select that, now, in step two, we can add our statements. Now, here, we have our effect, which can be allow or deny. So let's say allow for this example. And then, we can select the service that we're interested in. Let's select Amazon S3 to keep it nice and simple. And now, we can select our actions.
Now, we can select individual actions here just through these tick boxes for any actions that we're interested in. So I'll just select a number of different ones there. And you can see here that it's selected five actions. If you wanted all actions, you would simply tick this box. And then, you'd put in the ARN of the bucket. So let's just put in that same bucket that we used in the previous example. And then, here, we can also add in any conditions that we'd like. So just through a series of dropdown boxes, you can specify any conditions that you'd like in there as well. And then, once you're happy with your policy, simply select Add Statement. And here, it breaks down a summary as well. So it shows the effect, the action, the actions that we selected, the resource, and if there's any conditions, which we didn't specify any.
Now, if you wanted to, we can now add an additional statement. So for example, if we wanted to add some RDS elements in here as well, we can select AWS Service, select a load of actions, put in the ARN of your RDS database, and also add that statement to the same policy. Then, once you're happy with your policy and the number of statements that you've added, simply click Generate Policy. And here, it shows you the JSON view of the policy that you would need based on your dropdown selection. So what you can do now is simply copy that, go back to IAM, go to your policies, Create Policy, go to the JSON tab, and simply paste it in. So it's a very quick way of creating a policy through a series of dropdown boxes. And again, you can just progress through, adding any tags that you need to do, give this a name, ThisIsMyPolicy, and then click Create Policy. And again, you can see that this has been created. You can select that. And again, we can see the JSON statement there.
So now, we've looked at how to create a policy by copying an existing AWS managed policy. We've looked at how to use the AWS Policy Generator. Now, let's just quickly review how to create a policy from scratch. So again, go back to Policies and then Create Policy. Now, you can either use this visual editor or go straight to JSON, and you can start typing out your policy in here as and how you need it, or you can use the visual editor, which is very similar to the Policy Generator we just looked at, where, again, you can choose a service, then the specific actions, say all S3 actions, then you can specify the resources, whether you want this, again, as an access point, a bucket, a job, an object. So you can say any object. Then, you can specify any conditions, if you need MFA or specific source IP, for example. And again, you can also add additional permissions here.
So almost like another statement. It's very similar to the Policy Generator. But for me, personally, I think the Policy Generator is slightly easier to understand. And then, once you have your settings as you want them, and this has all been pre-filled from the options from the visual editor, and, again, click Tags, then Review, and then give this a name, MyPolicy, and then go to Create Policy. And if we take a look at the policy, we can just see its details again. And again, this shows the JSON view, et cetera. And if we wanted to edit the policy directly here, then we can. Click on Edit. Then, we can either edit through the visual editor, or we can directly edit the JSON view as well. So that's just a couple of ways of creating your IAM policies in a few very simple steps.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.