This document discusses limiting Amazon EC2 instance types that a user can start. It provides an example policy that attempts to limit starting an EC2 instance except for t2.* instance types. The policy would be created as a managed policy and attached to an IAM user. Then the expected behavior is demonstrated.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
IAM Policy Ninja
B r i g i d J o h n s o n
M a n a g e r , P r o d u c t M a n a g e m e n t – A W S I d e n t i t y
N o v e m b e r 2 9 , 2 0 1 7
SID 314

2. Limit Amazon EC2 instance types
Demo

3. Limit Amazon EC2 instance types
Demo
• Goal: Limit a user from starting an instance unless the
instance is t2.*
• L
– Create a managed policy that attempts to limit starting an EC2
instance except for these instance types.
– Attach that policy to an IAM user.

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Before

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Before Now!

6. What to expect from this session
Learn the policy language to control access to your
AWS resources
Understand the different types of policies, why to use
them, and how they work together
Get to know the tools available to help you with
policies
Become a policy ninja!

7. The policy language

8. The policy language
• Provides authorization
• Two parts:
– Specification: Defining access policies
– Enforcement: Evaluating policies

9. {
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
JSON-formatted documents
Contain a statement (permissions)
that specifies:
• Which actions a principal can
perform
• Which resources can be accessed
You can have multiple statements and
each statement is comprised of PARC
Policy specification basics

10. {
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
JSON-formatted documents
Contain a statement (permissions)
that specifies:
• Which actions a principal can
perform
• Which resources can be accessed
Principal
Action
Resource
Condition
You can have multiple statements and
each statement is comprised of PARC
Policy specification basics

11. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
Principal
Action
Resource
Condition

12. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
Principal
Action
Resource
Condition

13. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
Principal
Action
Resource
Condition

14. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
Principal
Action
Resource
Condition

15. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
Principal
Action
Resource
Condition

16. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
Principal
Action
Resource
Condition

17. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Principal
Action
Resource
Condition

18. Principal: Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number
Principal
Action
Resource
Condition

19. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
Principal
Action
Resource
Condition

20. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
Principal
Action
Resource
Condition

21. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
Principal
Action
Resource
Condition

22. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
Principal
Action
Resource
Condition

23. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
Principal
Action
Resource
Condition

24. Action: Examples
• Describes the type of access that should be allowed or denied
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update-->
"Action":"iam:*AccessKey*"
Principal
Action
Resource
Condition

25. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
Principal
Action
Resource
Condition

26. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
Principal
Action
Resource
Condition

27. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
Principal
Action
Resource
Condition

28. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
Principal
Action
Resource
Condition

29. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
Principal
Action
Resource
Condition

30. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition

31. Resource: Examples
• The object or objects being requested
• Statements must include either a Resource or a NotResource element
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket/*"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
Replace
with your
account
number

32. Condition example
Principal
Action
Resource
Condition

33. Condition example
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

34. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

35. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
AND
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

36. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

37. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• Anytime on Christmas day 2017 GMT from a source IP in the range
• The time is after 8 A.M. GMT on 12/25/2017 AND
• The time is before 8 A.M. GMT on 12/26/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

38. Condition example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-12-25T08:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-26T08:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
• Anytime on Christmas day 2017 GMT from a source IP in the range
• The time is after 8 A.M. GMT on 12/25/2017 AND
• The time is before 8 A.M. GMT on 12/26/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
• A
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition

39. Policy enforcement

40. Policy enforcement

41. Policy enforcement
Decision
starts at Deny
1

42. Policy enforcement
Decision
starts at Deny
1
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated

43. Policy enforcement
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated

44. Policy enforcement
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated

45. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements

46. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements

47. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
• Access is granted
if there is an
explicit Allow and
no Deny

48. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
No Final decision =“Deny”
(default Deny)
5
• AWS retrieves all policies
associated with the user and
resource
• Only policies that match the
action and conditions are
evaluated
• If a policy statement
has a Deny, it
trumps all other
policy statements
• Access is granted
if there is an
explicit Allow and
no Deny
• By default, an
implicit (default)
Deny is returned

49. It’s not just IAM policies
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
S p e c i f i c A W S s e r v i c e s
R e s o u r c e - b a s e d p o l i c i e s
E x a m p l e : A m a z o n S 3 b u c k e t p o l i c i e s
A W S I d e n t i t y a n d A c c e s s M a n a g e m e n t
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S e c u r i t y T o k e n S e r v i c e ( S T S )
S c o p e d - d o w n p o l i c i e s
All use the
same policy
language

50. What is AWS Organizations?

51. When to use each type of permission policy

52. When to use each type of permission policy
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s

53. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m

54. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S T S
S c o p e d - d o w n p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m
R e d u c e g e n e r a l s h a r e d
p e r m i s s i o n s f u r t h e r

55. When to use each type of permission policy
A W S I A M
I n l i n e p o l i c i e s
M a n a g e d p o l i c i e s
A W S S T S
S c o p e d - d o w n p o l i c i e s
A W S O r g a n i z a t i o n s
S e r v i c e c o n t r o l p o l i c i e s ( S C P s )
S p e c i f i c A W S s e r v i c e s
R e s o u r c e - b a s e d p o l i c i e s
E x a m p l e : S 3 b u c k e t p o l i c i e s
G u a r d r a i l s o n t h e a c c o u n t
t o d i s a b l e a c c e s s t o s e r v i c e s
S e t g r a n u l a r p e r m i s s i o n s
b a s e d o n f u n c t i o n s t h a t
u s e r s o r a p p l i c a t i o n s n e e d
t o p e r f o r m
R e d u c e g e n e r a l s h a r e d
p e r m i s s i o n s f u r t h e r
C r o s s - a c c o u n t a c c e s s a n d
t o c o n t r o l a c c e s s f r o m t h e
r e s o u r c e

56. How they work together—for an account

57. How they work together—for an account
Service
control
policies
Allow
S3:PutObject

58. How they work together—for an account
Service
control
policies
Allow
S3:PutObject

59. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Union
Allow
S3:PutObject

60. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Scoped-
down
policies
Union
Allow
S3:PutObject

61. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Scoped-
down
policies
Union
Allow
S3:PutObject

62. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject

63. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject

64. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject
Allow S3:PutObject

65. How they work together—for an account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Does not allow
S3:PutObject

66. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Union
Allow
S3:PutObject
Allow S3:PutObject

67. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject

68. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject

69. How they work together—across account
Service
control
policies
IAM
managed
policies
IAM inline
policies
Resource-
based
policiesScoped-
down
policies
Union
Allow
S3:PutObject
Allow S3:PutObject
Intersection
Allow
S3:PutObject

70. Enough already –
Let’s look at some examples

71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SCP
• Allows *.* (all services and
actions)
• Denies all AWS Directory
Service and Amazon Polly
• Denies AWS CloudTrail to stop
trail logging
IAM policy—Attached to Casey
• Allows Amazon S3 read to a
specific bucket
• Allows AWS CloudTrail stop
trail logging (oops!)
Demo with SCPs and IAM policies

72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": “DenyUnapprovedActions",
"Effect": "Deny",
"Action": ["polly:*",
"ds:*",
"cloudtrail:StopLogging"
],
"Resource": ["*"]
}]
}
SCP

73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": “DenyUnapprovedActions",
"Effect": "Deny",
"Action": ["polly:*",
"ds:*",
"cloudtrail:StopLogging"
],
"Resource": ["*"]
}]
}
SCP
Don’t Forget!
We also have
an Allow *.*
policy attached
to this OU

74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::reinvent-2017-policy-ninja-dev/*",
"arn:aws:s3:::reinvent-2017-policy-ninja-dev"]
}, {
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets", "s3:HeadBucket", "s3:ListObjects"],
"Resource": "*"
}]
}
IAM policy – Attached to Casey – S3

75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudtrail:LookupEvents",
"cloudtrail:StopLogging",
"cloudtrail:ListPublicKeys",
"cloudtrail:ListTags",
"cloudtrail:GetTrailStatus",
"cloudtrail:GetEventSelectors",
"cloudtrail:DescribeTrails"
],
"Resource": "*"
}] }
IAM policy – Attached to Casey – CloudTrail

76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 1
Developer Casey turns off CloudTrail logging

77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 1
Developer Casey turns off CloudTrail logging

78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 2
Developer Casey reads an object from a bucket

79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 2
Developer Casey reads an object from a bucket

80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 3
Situation 2
Developer Casey reads an object from a bucket

81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 3
Developer Casey adds an object to the same bucket
Situation 2
Developer Casey reads an object from a bucket

82. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the outcome?
Situation 3
Developer Casey adds an object to the same bucket
Situation 2
Developer Casey reads an object from a bucket

83. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SCP policy
• Allows *.*
• Denies all Directory Service
and Amazon Polly
• Denies CloudTrail to stop trail
logging
IAM policy – Attached to Casey
• Allows S3 read to a specific
bucket
Demo with SCP, IAM, and bucket policy
S3 bucket policy
• Allows S3 write for Casey

84. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowPutObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789123:user/Casey"
},
"Action": "s3:putobject",
"Resource": "arn:aws:s3:::reinvent-2017-policy-ninja-dev/*"
}]
}
Now we add a bucket policy

85. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bucket policy at play – New outcome!
Situation 2 – Same account
Developer Casey adds an object to the same bucket

86. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bucket policy at play – New outcome!
Situation 2 – Same account
Developer Casey adds an object to the same bucket

87. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SCP policy
• Allows *.*
• Denies all Directory Service
and Amazon Polly.
• Denies CloudTrail to stop trail
logging
IAM policy – Attached to Casey
• Allows S3 read to a specific
bucket
What about cross-account?
S3 bucket policy in a different
account
• Allows S3 write for Casey

88. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-account S3 bucket
Situation 2 – Different account
Developer Casey adds an object to a bucket in a different account

89. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-account S3 bucket
Situation 2 – Different account
Developer Casey adds an object to a bucket in a different account

90. Recap
Review of IAM policy language
Review of how policies work together to control
access
Policy tools – Create, test, and correct policies
Policy Foo – Ninja moves with Amazon EC2
Additional resources

91. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policy Tools – Policy summaries
An easier way to understand the permissions your policies grant
 Summary of service and access level
 Four types of access levels for actions
 List – See a list of resources
 Read – Read the content in resources
 Write – Create, delete, or modify resources
 Permissions – Grant or modify permissions to resources
 Show remaining services and actions
 Identify and correct errors in your policies

92. Policy tools – Visual policy editor
Point and click your way through granting permissions in AWS
 Create and modify IAM policies
 Select from a list of AWS services
 Select from a list of available actions
 Explore services and actions with inline documentation
 Understand the resources you can specify for service actions
 Select from a list of available conditions for actions you select
 Easily include dependent actions required to perform tasks in AWS
 Import existing policies and modify

93. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal: You have an existing policy that enables developers to use
the EC2 console to:
• Start, stop, and terminate instances with a specific tag
Situation: It does not work (oh, bother!)
Pro tip! Use policy summaries and the editor to correct your
existing policies
Demo: Correct an Existing Policy

94. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{ "Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "arn:aws:ec2:region:account-id:security-group/sg-12345678"
},
{ "Effect": "Allow",
"Action": ["elasticloadbalancing:Describe*", "cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics", "cloudwatch:Describe*",
"autooooooscaling:Describe*"
],
"Resource": "*"
}, <continued>
Existing policy – Does not work

95. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
…{
"Effect": "Allow",
"Action": ["ec2:StartInstances", "ec2:StopInstances"],
"Condition": {
"StringEquals": {
"ec2:CrazyTags/project": “poker"
}
},
"Resource": "*"
}
]
}
Proposed policy – Does not work

96. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We found four issues:
1. Typo in our services
2. Mismatch of supported resource and action
3. Condition key not supported
4. Missing actions
Demo: Correct an existing policy

97. Recap
Review of IAM policy language
Review of how policies work together to control
access
Policy tools – Create, test, and correct policies
Policy Foo – Ninja moves with EC2
Additional resources

98. Policy Foo – Access control with tags
Tags and EC2

99. Policy Foo – Access control with tags
Tags and EC2
Control how
users can add
tags

100. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control how
users can add
tags

101. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags

102. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags
Control access
to resources
based on tags

103. Policy Foo – Access control with tags
Tags and EC2
Control which
tags users can
create
Control which
resources users can
tag
Control how
users can add
tags
Control access
to resources
based on tags

104. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal: Allow Casey to launch instances only if he specifies a project
tag with values blackjack or poker.
Demo: Permissions with tags
project=poker

105. Permissions overview
Allow adding tags only during instance launch
Require specific tags with values at instance launch
Bonus: Allow modify and create specific tags and
resources

106. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": “RunInstances"
}
}
}]
}
Policy: Create tag with RunInstances
Allows creation of tags
But only during
RunInstances calls

107. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"]
}, {
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:instance/*"],
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": ["project", "name"]},
"StringEquals": {
"aws:RequestTag/project": ["blackjack", "poker"],
"ec2:InstanceType": "t2.micro“ }
}}]}
Policy: Require tags at launch
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:RunInstances" ],
"Resource": ["arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringLikeIfExists": {
"ec2:InstanceType": "t2.*"}
}
}]}
Previous Updated

108. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"]
}, {
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:instance/*"],
"Condition": { "ForAllValues:StringEquals": {
"aws:TagKeys": ["project", "name"]},
"StringEquals": {
"aws:RequestTag/project": ["blackjack", "poker"],
"ec2:InstanceType": "t2.micro“ }
}}]}
Policy: Closer look at tagging conditions
Allows project and/or
name
Requires project with
one of these values
Requires instance to be
one of these sizes

109. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.

110. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas

111. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas

112. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
project=slots
name=vegas

113. Policy Foo – Challenge
“But how do I let Casey update tags on existing instances without also
allowing crazy tags?”
Goal: Allow Casey to create tags on resources tagged with one of his
projects and a name tag with any value.
Pro tip! Look at the conditions that EC2:CreateTags supports.
project=poker
name=vegas
project=slots
name=vegas

114. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/project": ["blackjack","poker"]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": ["project","name"]
},
"StringEqualsIfExists": {
"aws:RequestTag/project": ["blackjack","poker"]
}}}]}
Policy: Control tags using EC2
Only tag resources with
these tags
Tag with either of these
keys
For project, you specify
only these values
Allow users to create tags on resources tagged with
project=blackjack or project=poker and only tag with project or
name. If they use project, they must use blackjack or poker.

115. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Policy Ninja
Disclaimer: Not really. This is not a real certification, but thank you for staying until the end. 

116. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional resources
AWS Security Blog: Announcements, use cases, and best practices
https://aws.amazon.com/blogs/security/

117. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!