1. Mastering Access Control Policies
Brigid Johnson, Senior Product Manager
AWS Identity and Access Management
2. Goals
• Know more about securing your AWS resources
• Get a deeper understanding of the policy language
• Learn some tips and tricks for most frequent tasks
• Keep this a lively session via demos
– Amazon EC2
– AWS Lambda
5. Policy Specification Basics
Amazon S3 Read-Only
Access Template• JSON-formatted documents
• Contain a statement (permissions)
which specify:
– What actions a principal can perform
– Which resources can be accessed
Example of an IAM user/group/role access policy
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "*"
}
]
}
6. Anatomy of a Statement
{
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
Principal
Action
Resource
Conditions
Effect: Allow
Principal:123456789012:user/bob
Action: s3:*
Resource: jeff_bucket/*
Condition: Referer = example.com
Effect: Deny
Principal:123456789012:user/brad
Action: s3:DeleteBucket
Resource: jeff_bucket
Condition: Referer = example.com
You can have multiple statements and
each statement is comprised of PARK
7. Principal - Examples
• An entity that is allowed or denied access to a resource
• These are indicated by an Amazon Resource Name (ARN)
• A principal element is required for resource-based, but not IAM policies
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"www.amazon.com"}
"Principal":{"Federated":"graph.facebook.com"}
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number
8. Action - Examples
• Describes the type of access that should be allowed or denied
• You can find these in the docs or use the policy editor to get a drop down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!-- S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update-->
"Action":"iam:*AccessKey*"
9. Understanding NotAction
• Let’s you specify an exception to a list of actions
• Can sometimes result in shorter policies than using Action and denying many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not a Deny. A user could still have a
separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit deny
Notice the
difference?
10. Understanding NotAction
• Lets you specify an exception to a list of actions
• Can sometimes result in shorter policies than using Action and denying many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
Even more
strict
Grants only what you want while ensuring you’re
always denying what you don’t want granted.
11. Resource - Examples
• The object or objects that are being requested
• Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
12. Conditions
• Optional criteria that must evaluate to
true for the policy to evaluate as true
(ex. Restrict to an IP address range)
• Can contain multiple conditions
• Condition keys can contain multiple
values
• If a single condition includes multiple
values for one key, the condition is
evaluated using logical OR
• Multiple conditions (or multiple keys in
a single condition) the conditions are
evaluated using logical AND
Condition Element
Condition 1:
Key1: Value1A
Condition 2:
Key3: Value3A
AND
AND
Key2: Value2A OR Value2B
OR ORKey1: Value1A Value1B Value 1C
13. Condition Example
"Condition" : {
"DateGreaterThan" : {"aws:CurrentTime" : "2016-11-13T12:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2016-11-13T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• The time is after 12:00 p.m. on 11/13/2014 AND
• The time is before 3:00 p.m. on 11/13/2014 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range
All of these conditions must be met in order for the statement to evaluate to TRUE
AND
OR
What if you wanted to restrict access to a timeframe and IP address range?
15. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
}]
}
The Anatomy of a Policy with Variables
Version is required
Variable in conditions
Grants a user access to a home directory in Amazon S3 that can
be accessed programmatically
16. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "InvokePermission",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:12345678912:function:"${aws:username}"
}, {
"Sid": "CloudWatchLogsPerms",
"Effect": "Allow",
"Action": [
"cloudwatchlog:DescribeLogGroups",
"cloudwatchlog:DescribeLogStreams",
"cloudwatchlog:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:12345678912:log-group:/aws/lambda/*"
}]
}
The Anatomy of a Policy with Variables
Variable in
Resource
Grants a user access to a home directory in Amazon S3 that can
be accessed programmatically
18. IAM Policies
Two types of entity-based policies in IAM
• Managed policies (newer way)
– Can be attached to multiple users, groups, and roles
– AWS managed policies (created and managed by AWS)
– Customer managed policies (created and managed by you)
• Up to 5K per policy
• Up to 5 versions
– You can attach 2 managed policies per user, group, role
– You can limit who can attach managed policies
• Inline policies (the older way)
– You create and embed directly in a single user, group, or role
– Variable policy size (2K per user, 5K per group, 10K per role)
20. Inline Policies
Example AWS Account
Group Admins
User Alice User Susan
Role books-app
Role EC2-access
Policy account-admins-mfa
Policy limited-admins-mfa
Policy EC2-access
Policy DynamoDB-books-app
Inline Policies
Group LtdAdmins
User Dave User Sarah
Policy DynamoDB-books-app
21. Resource-Based Policies
• IAM policies live with
– IAM Users
– IAM Groups
– IAM Roles
• Some services allow storing
policy with resources
– Amazon S3 (bucket policy)
– Amazon Glacier (vault policy)
– Amazon SNS (topic policy)
– Amazon SQS (queue policy)
{
"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": "sqs:SendMessage",
"Resource":
"arn:aws:sqs:us-east-1:444455556666:queue1"
}
}
Principal required here
Managed policies
apply only to users,
groups, and roles -
not resources
25. Time for Policy Demos with Amazon EC2:
1) Allow your developers to poke around
the EC2 Console.
2) Allow your developers to start and stop
their own developer machines
3) Allow your developers to launch new
instances for a proof of concept.
26. Allow your developers to poke around the EC2 Console.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISALLOWSEC2READACCESS",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*",
"autoscaling:Describe*"
],
"Resource": "*"
}]
}
Necessary Actions
to navigate the EC2
Console
28. Allow your developers to start and stop their own developer
machines.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
}]
}
Don’t forget: we
need the read policy
too!
Policy Variable
How does this tag get there? Let’s talk about it.
29. Categorize Your Amazon EC2 Resources
Use tags as a resource attribute
Be careful who you allow to tag
your resources if you use tags for
access control
34. Determining if a Request is Allowed or Denied
Final decision =“deny”
(explicit deny)
Yes
Final decision =“allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
Applicable
policies
2
Is there an
explicit
deny?
3
No Final decision =“deny”
(default deny)
5
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the action
& conditions are evaluated
• If a policy statement
has a deny, it trumps
all other policy
statements
• Access is granted
if there is an
explicit allow and
no deny
• By default, a
implicit (default)
deny is returned
35. Time for Policy Demos with Lambda:
1) Allow your developers to navigate
existing Lambda functions.
2) Enable your developers to invoke a
specific Lambda function.
36. Allow your developers to navigate existing Lambda functions.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DisplayFunctionDetailsPermissions",
"Effect": "Allow",
"Action": [
"lambda:ListVersionsByFunction",
"lambda:ListFunctions",
"lambda:ListAliases",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListEventSourceMappings",
"lambda:GetPolicy",
"lambda:GetAccountSettings"
],
"Resource": "*"
}]
}
Necessary Actions
to navigate the
Lambda Console
42. Decoding the EC2 Authorization Message
• The decoded message includes:
– Whether the request was denied due
to an explicit deny or absence of an
explicit allow.
– The principal who made the request.
– The requested action.
– The requested resource.
– The values of condition keys in the
context of the user's request.
The message is encoded because the details of the
authorization status can constitute privileged
information!
• Additional information about the authorization status of a request
Output
43. Steps to Decode
1. Run the decode-authorization command
aws sts decode-authorization-message --encoded-message encodedmessage
Output
{
"DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},
"failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD
6SH2EXE","name":"Bob","arn
":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances",
"resource":"arn:aws:ec2:us-east-1:accountid:key-
pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{
"items":[{"value":"us-east-1"}]}}]}}}"
}
44. Steps to Decode
2. Remove the “DecodeMessage” Wrapper
Output
{
"DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},
"failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD
6SH2EXE","name":"Bob","arn
":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances",
"resource":"arn:aws:ec2:us-east-1:accountid:key-
pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{
"items":[{"value":"us-east-1"}]}}]}}}"
}
45. Steps to Decode
3. Format using your favorite
JSON tool
4. Now you can see what failed
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AIDAEXAMPLEKXD6SH2EXE",
"name": "Bob",
"arn": "arn: aws: iam: : accountid: user/Bob"
},
"action": "ec2: RunInstances",
"resource": "arn: aws: ec2: us-east-1: accountid: key-pair/keypairid",
"conditions": {
"items": [
{
"key": "ec2: Region",
"values": {
"items": [
{
"value": "us-east-1"
} ] } } ] } } }
46. Summary
• IAM provides access control for your AWS account
• The policy language authorizes that access
• All applicable policies are evaluated
– Users are denied access by default
– Deny always trumps an allow
• Use policy variables and remember the version!
• Keep in mind what Amazon EC2 actions or
resources are currently supported
Brigid to Add a use case. Why would customers want to launch an instance with a specific tag.
You can create standalone policies that you administer in your own AWS account, which we refer to as a customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
The following diagram illustrates customer managed policies. Each policy is an entity in IAM with its own Amazon Resource Name (ARN) that includes the policy name. Notice that the same policy can be attached to multiple principal entities—for example, the same DynamoDB-books-app policy is attached to two different IAM roles.
Brigid to Add a use case. Why would customers want to launch an instance with a specific tag.