by Brigid Johnson, Sr. Product Manager, AWS Identity and Access Management, AWS

1. Mastering Access Control Policies
Brigid Johnson, Senior Product Manager
AWS Identity and Access Management

2. Goals
• Know more about securing your AWS resources
• Get a deeper understanding of the policy language
• Learn some tips and tricks for most frequent tasks
• Keep this a lively session via demos
– Amazon EC2
– AWS Lambda

3. Launch new Instances
Demo

4. The Policy Language

5. Policy Specification Basics
Amazon S3 Read-Only
Access Template• JSON-formatted documents
• Contain a statement (permissions)
which specify:
– What actions a principal can perform
– Which resources can be accessed
Example of an IAM user/group/role access policy
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "*"
}
]
}

6. Anatomy of a Statement
{
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
Principal
Action
Resource
Conditions
Effect: Allow
Principal:123456789012:user/bob
Action: s3:*
Resource: jeff_bucket/*
Condition: Referer = example.com
Effect: Deny
Principal:123456789012:user/brad
Action: s3:DeleteBucket
Resource: jeff_bucket
Condition: Referer = example.com
You can have multiple statements and
each statement is comprised of PARK

7. Principal - Examples
• An entity that is allowed or denied access to a resource
• These are indicated by an Amazon Resource Name (ARN)
• A principal element is required for resource-based, but not IAM policies
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"www.amazon.com"}
"Principal":{"Federated":"graph.facebook.com"}
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number

8. Action - Examples
• Describes the type of access that should be allowed or denied
• You can find these in the docs or use the policy editor to get a drop down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!-- S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update-->
"Action":"iam:*AccessKey*"

9. Understanding NotAction
• Let’s you specify an exception to a list of actions
• Can sometimes result in shorter policies than using Action and denying many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not a Deny. A user could still have a
separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit deny
Notice the
difference?

10. Understanding NotAction
• Lets you specify an exception to a list of actions
• Can sometimes result in shorter policies than using Action and denying many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
Even more
strict
Grants only what you want while ensuring you’re
always denying what you don’t want granted.

11. Resource - Examples
• The object or objects that are being requested
• Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"

12. Conditions
• Optional criteria that must evaluate to
true for the policy to evaluate as true
(ex. Restrict to an IP address range)
• Can contain multiple conditions
• Condition keys can contain multiple
values
• If a single condition includes multiple
values for one key, the condition is
evaluated using logical OR
• Multiple conditions (or multiple keys in
a single condition) the conditions are
evaluated using logical AND
Condition Element
Condition 1:
Key1: Value1A
Condition 2:
Key3: Value3A
AND
AND
Key2: Value2A OR Value2B
OR ORKey1: Value1A Value1B Value 1C

13. Condition Example
"Condition" : {
"DateGreaterThan" : {"aws:CurrentTime" : "2016-11-13T12:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2016-11-13T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• The time is after 12:00 p.m. on 11/13/2014 AND
• The time is before 3:00 p.m. on 11/13/2014 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range
All of these conditions must be met in order for the statement to evaluate to TRUE
AND
OR
What if you wanted to restrict access to a timeframe and IP address range?

14. Policy Variables

15. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
}]
}
The Anatomy of a Policy with Variables
Version is required
Variable in conditions
Grants a user access to a home directory in Amazon S3 that can
be accessed programmatically

16. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "InvokePermission",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:12345678912:function:"${aws:username}"
}, {
"Sid": "CloudWatchLogsPerms",
"Effect": "Allow",
"Action": [
"cloudwatchlog:DescribeLogGroups",
"cloudwatchlog:DescribeLogStreams",
"cloudwatchlog:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:12345678912:log-group:/aws/lambda/*"
}]
}
The Anatomy of a Policy with Variables
Variable in
Resource
Grants a user access to a home directory in Amazon S3 that can
be accessed programmatically

17. Managing Your Policies

18. IAM Policies
Two types of entity-based policies in IAM
• Managed policies (newer way)
– Can be attached to multiple users, groups, and roles
– AWS managed policies (created and managed by AWS)
– Customer managed policies (created and managed by you)
• Up to 5K per policy
• Up to 5 versions
– You can attach 2 managed policies per user, group, role
– You can limit who can attach managed policies
• Inline policies (the older way)
– You create and embed directly in a single user, group, or role
– Variable policy size (2K per user, 5K per group, 10K per role)

19. AWS vs. Customer Managed Policies

20. Inline Policies
Example AWS Account
Group Admins
User Alice User Susan
Role books-app
Role EC2-access
Policy account-admins-mfa
Policy limited-admins-mfa
Policy EC2-access
Policy DynamoDB-books-app
Inline Policies
Group LtdAdmins
User Dave User Sarah
Policy DynamoDB-books-app

21. Resource-Based Policies
• IAM policies live with
– IAM Users
– IAM Groups
– IAM Roles
• Some services allow storing
policy with resources
– Amazon S3 (bucket policy)
– Amazon Glacier (vault policy)
– Amazon SNS (topic policy)
– Amazon SQS (queue policy)
{
"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": "sqs:SendMessage",
"Resource":
"arn:aws:sqs:us-east-1:444455556666:queue1"
}
}
Principal required here
Managed policies
apply only to users,
groups, and roles -
not resources

22. Enough Already…
Let’s look at some examples

23. But wait…Just in…today…
Policy Summaries in the IAM
Console
Let’s check it out

24. Demos for 3 service:
1) EC2
2) Lambda

25. Time for Policy Demos with Amazon EC2:
1) Allow your developers to poke around
the EC2 Console.
2) Allow your developers to start and stop
their own developer machines
3) Allow your developers to launch new
instances for a proof of concept.

26. Allow your developers to poke around the EC2 Console.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISALLOWSEC2READACCESS",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*",
"autoscaling:Describe*"
],
"Resource": "*"
}]
}
Necessary Actions
to navigate the EC2
Console

27. Entering….
EC2 Resource-Level Permissions

28. Allow your developers to start and stop their own developer
machines.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
}]
}
Don’t forget: we
need the read policy
too!
Policy Variable
How does this tag get there? Let’s talk about it.

29. Categorize Your Amazon EC2 Resources
Use tags as a resource attribute
Be careful who you allow to tag
your resources if you use tags for
access control

30. Remember this?
Launch new Instances
Demo

31. Allow your developers to launch new instances for a proof of
concept.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:028103658970:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}, {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:028103658970:subnet/*",
"arn:aws:ec2:us-east-1:028103658970:volume/*",
"arn:aws:ec2:us-east-1:028103658970:network-interface/*",
"arn:aws:ec2:us-east-1:028103658970:key-pair/*",
"arn:aws:ec2:us-east-1:028103658970:security-group/*",
"arn:aws:ec2:us-east-1::image/ami-*"
]
}]
}
Instance Size

32. Supported Amazon EC2 Actions
http://docs.aws.amazon.com/AWSEC2
/latest/UserGuide/ec2-supported-iam-
actions-resources.html
Your best
friend!

33. Policy Enforcement

34. Determining if a Request is Allowed or Denied
Final decision =“deny”
(explicit deny)
Yes
Final decision =“allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
Applicable
policies
2
Is there an
explicit
deny?
3
No Final decision =“deny”
(default deny)
5
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the action
& conditions are evaluated
• If a policy statement
has a deny, it trumps
all other policy
statements
• Access is granted
if there is an
explicit allow and
no deny
• By default, a
implicit (default)
deny is returned

35. Time for Policy Demos with Lambda:
1) Allow your developers to navigate
existing Lambda functions.
2) Enable your developers to invoke a
specific Lambda function.

36. Allow your developers to navigate existing Lambda functions.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DisplayFunctionDetailsPermissions",
"Effect": "Allow",
"Action": [
"lambda:ListVersionsByFunction",
"lambda:ListFunctions",
"lambda:ListAliases",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListEventSourceMappings",
"lambda:GetPolicy",
"lambda:GetAccountSettings"
],
"Resource": "*"
}]
}
Necessary Actions
to navigate the
Lambda Console

37. Entering….
Lambda Resource-Level
Permissions

38. Enable your developers to invoke a specific Lambda function.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "InvokePermission",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:028103658970:function:HelloWorld"
}, {
"Action": [
"logs:Describe*",
"logs:Get*",
"logs:TestMetricFilter",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}]
}
Specific resource
Read the logs

39. Testing and Debugging

40. Policy Editor
• Policy validation checks:
– JSON errors
– Policy grammar errors
• Policy formatting:
– On demand
– Auto-formatting

41. Policy Simulator

42. Decoding the EC2 Authorization Message
• The decoded message includes:
– Whether the request was denied due
to an explicit deny or absence of an
explicit allow.
– The principal who made the request.
– The requested action.
– The requested resource.
– The values of condition keys in the
context of the user's request.
The message is encoded because the details of the
authorization status can constitute privileged
information!
• Additional information about the authorization status of a request
Output

43. Steps to Decode
1. Run the decode-authorization command
aws sts decode-authorization-message --encoded-message encodedmessage
Output
{
"DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},
"failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD
6SH2EXE","name":"Bob","arn
":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances",
"resource":"arn:aws:ec2:us-east-1:accountid:key-
pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{
"items":[{"value":"us-east-1"}]}}]}}}"
}

44. Steps to Decode
2. Remove the “DecodeMessage” Wrapper
Output
{
"DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},
"failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD
6SH2EXE","name":"Bob","arn
":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances",
"resource":"arn:aws:ec2:us-east-1:accountid:key-
pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{
"items":[{"value":"us-east-1"}]}}]}}}"
}

45. Steps to Decode
3. Format using your favorite
JSON tool
4. Now you can see what failed
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "AIDAEXAMPLEKXD6SH2EXE",
"name": "Bob",
"arn": "arn: aws: iam: : accountid: user/Bob"
},
"action": "ec2: RunInstances",
"resource": "arn: aws: ec2: us-east-1: accountid: key-pair/keypairid",
"conditions": {
"items": [
{
"key": "ec2: Region",
"values": {
"items": [
{
"value": "us-east-1"
} ] } } ] } } }

46. Summary
• IAM provides access control for your AWS account
• The policy language authorizes that access
• All applicable policies are evaluated
– Users are denied access by default
– Deny always trumps an allow
• Use policy variables and remember the version!
• Keep in mind what Amazon EC2 actions or
resources are currently supported

47. Additional resources
• Documentation
• http://aws.amazon.com/documentation/iam/
• http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-
permissions.html
• AWS Security Blog (blogs.aws.amazon.com/security)
• http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-
Resource-Level-Permissions
– http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/Granting-Users-
Permission-to-Work-in-the-Amazon-EC2-Console
• http://aws.amazon.com/iam
• https://forums.aws.amazon.com/forum.jspa?forumID=76
• Twitter: @AWSIdentity
• brigidj@amazon.com

48. aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS