SlideShare a Scribd company logo

AWS IAM policies in plain english

B
Bogdan Naydenov

AWS IAM policies in plain english presentation given by Bogdan Naydenov on AWSBulgaria meetup user group on May 16 2017

Engineering
1 of 32
Download to read offline
AWS IAM Policies in plain English Bogdan Naydenov Part of AWS All Stars Certified Elite, 16 May 2017 #AWSBulgaria User Group
Who am I Bogdan Naydenov AWS All 5 AWS Certificates holder currently Architect at Progress Software - Platform DevOps team Mostly Operational background with more than 19 years of IT experience https://www.linkedin.com/in/bnaydenov @BobbyNaydenov
Overview In the beginning... there is the natural, general flow of working with IAM policies ● develop app feature ● deploy to AWS ● realize you need IAM ● get overwhelmed by docs ● begin copy and pasting example policies to fit your app ● bashing your head and fingers against the keyboard until it works
Simple Policy { "Version": "2012-10-17", "Id": "some-unique-id", "Statement": { "Sid": "1", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}, "Action": [ "s3:PutObject", "s3:Get*" ], "Resource": "arn:aws:s3:::s3-bucket_name/*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } } } }
What is an AWS IAM Policy? “A set of rules that, under the correct conditions, define what actions the policy principal or holder can take to specified AWS resources.”
How about this in plain English? Who can do what to which resources. When do we care?
The "Who"? "Who" is trying to do stuff? This can be a User, Groups of users and "roles." The first two are self-explanatory. The last one “roles” is just allows us to let other things, like EC2 servers, become the "Who”. (We can also allow for federated users to be the "who" but we won't dive into that.) "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}
The "Who" aka Principal? For IAM Users and Roles, we just grab its ARN (found in the IAM console or returned in the CLI) and follow the format of: "Principal": {"AWS": "<ARN OF YOUR IAM USER OR ROLE BUT NOT GROUPS>"} "Principal": { "AWS" : "arn:aws:iam::111222333444:user/naydenov" } "Principal": { "Service": "ec2.amazonaws.com" }
NOW. HUGE Gotcha? If we're making and attaching policies to IAM users, groups and roles, the principal (or Who) isn't needed. That's because when you attach a policy to an IAM user for example, the policy assumes that the user who we've attached the policy to is the principal.
The "Who" Users vs The "Who"Resources? What's the difference between attaching a policy to an IAM user vs a resource like an S3 bucket? If the policy is attached to the user, group or role it's like a permission slip. If it's attached to the resource, it's like a VIP list.
AWS Roles and Principals? Even though IAM users and groups imply a "who" on their permission policy, IAM roles do so only after we've specified the who via a "Trust Policy." Therefore, when creating a role we have to pass it these two separate policy documents: 1) The "Trust Policy" is a policy that does nothing more than state "who" can assume this role. Yes, they look exactly like normal policies. 2) The Permissions Policy is just what we've shown so far. "What" actions can the owner of this role take to "which" resources?
AWS Roles and Principals? IF we're creating IAM roles in the console, guess what? We don't really worry about the first policy. Instead, when creating a role we select a service that will serve as the who: This sets up that first "trust policy" document for us. Then we attach a policy to the role like we would a user or group.
AWS Roles and Principals? For the CLI (or CloudFormation, Terraform) however, we have to do both steps. Let's say we want to create a role for AWS CodePipeline. To do so we first need to create the role with the following "trust policy": { "Version":"2012-10-17", "Statement": { "Effect":"Allow", "Principal": { "Service": "codepipeline.amazonaws.com" }, "Action":"sts:AssumeRole" } }
AWS Roles and Principals? aws iam create-role --role-name CodePipelineExampleRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Principal":{"Service":"codepipeline.amazonaws.com" },"Action":"sts:AssumeRole"}}' aws iam put-role-policy --role-name CodePipelineExampleRole --policy-name CodePipelineExamplePolicy --policy-document file://some-policy.json
The "What"? "What" actions can the "Who" take? Run EC2 instances? Put objects to S3? Put logs to cloud watch? "Action": [ "s3:PutObject", "s3:Get*" ]
The "What"? The format of action is a string or array of actions that take the format of: <service>:<action in service> If unsure of what the needs are and have a safe AWS development environment, keep the actions general (via the wildcard * operator) and then cherry pick the ones you need when the service is fully built. "s3:Get*" List of all actions by services
The "Which"? "What" actions can the "Who" take on "Which" resources? So the "Who" can put and get objects to S3? But to which S3 buckets? All of them? Only ones in us-east-1? "Resource": "arn:aws:s3:::s3-bucket_name/*"
The "Which"? Quick aside - the anatomy of an ARN, Amazon Resource Name, is as follows arn:aws:[service]:[region]:[account]:resourceType/resourcePath { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-bucket/${aws:username}/*" } ] }
The "Which"? The ${aws:username}, and all policy variables, are data that are sent up with requests. There's a variety of them like aws:CurrentTime or aws:SourceIp. A full list is here: Policy Variables List A note on resource in context of S3. IAM policies can imply the "who" or the prinicpal when we attach a policy to them. One might think that a bucket would imply the resource be itself. However, it doesn't. When attaching a policy to an S3 bucket (aka bucket policy), we must still specify the resource, which is always the S3 bucket optionally followed by nested folders/objects within.
The "When"? "When do we care? If the IP matches a certain range of IPs? If the date-time is before a particular day? If the AWS user's username includes the given string? "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } }
The "When"? "When" can our Prinicpal take actions on a resource? When conditions permit. In plain english: "Condition": { "<What's the comparison we're making?>": { "<Value being passed in the request>": "<Value to compare against>" } }
The When? "Resource": "arn:aws:s3:::s3-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "123.123.123.123/32" }, "DateGreaterThan": { "aws:CurrentTime": "2017-05-15T00:00:00Z" } }
The When? Condition Operators What comparison are we making? A string comparison? An IP comparison? A username comparison? Each of these have a special operator. The condition operators in previous example are IpAddress and DateGreaterThan. A list of condition operators to be used can be found here.
The When? Condition Keys These are the AWS ready values about the current request trying to pass the policy. When a request comes through, AWS makes a variety of these "keys" available for use within our policies. We saw two above aws:SourceIp and aws:CurrentTime - and as mentioned in the Resource section, these are also known as Policy Variables Link to AWS Global Condition Keys
The When? Condition Values This is simply the value that we're looking to compare against. So in this example: The only real note here is that within these values we can also use Policy Variables, the wildcard character (*) to denote any string and the question mark (?) to denote any one character. { "Condition": { "ArnEquals": { "ec2:Vpc": "arn:aws:ec2:us-east-?::vpc/*" }, "StringLike": { "ec2:ResourceTag/name": "*-${aws:username}" } } }
The When? Or this one { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-east-1" }, "ArnEquals": { "ec2:Vpc": "ARN of VPC" } } } ] }
`Not` Versions of Policies Resource, Action and Principal have a reverse: NotResource NotAction NotPrincipal As you might suspect, they just specify what it does NOT apply to !!! just stick with positives if possible.
Explained - Simple Policy { "Version": "2012-10-17", "Id": "some-unique-id", "Statement": { "Sid": "1", "Effect": "Allow", Who "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}, What "Action": [ "s3:PutObject", "s3:Get*" ], Which "Resource": "arn:aws:s3:::s3-bucket_name/*", When "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } } } }
ReCap An IAM policy: A set of rules that, under the correct conditions, define what actions the policy principal or holder can take to specified AWS resources. Or more simply put: Who can do what to which resources. When do we care?
Using Policies ● create the policy ● attach it to a user, group, role or resource. For IAM Users, Groups and Roles, you'll create your policy and then simply attach it to one of the three. The CLI experience obviously requires some different steps, but the concept is still same. For Resources like S3 Buckets, you'll directly attach policies generally in that service's API or console interface.
Final Thoughts “begin with the end in mind” Literally ask yourself and team: Who can do what to which resources. When do we care?
List of all actions by services Policy Variables List A list of condition operators to be used can be found here Link to AWS Global Condition Keys Resources used

Recommended

Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayAmazon Web Services
 

Recommended

Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayAmazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
Serverless computing with AWS Lambda
Serverless computing with AWS Lambda Serverless computing with AWS Lambda
Serverless computing with AWS Lambda Apigee | Google Cloud
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안BESPIN GLOBAL
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and UsesGlobalLogic Ukraine
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAMAmazon Web Services
 
Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessAmazon Web Services
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECSAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalorerajkamal560066
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 

More Related Content

What's hot

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Serverless computing with AWS Lambda
Serverless computing with AWS Lambda Serverless computing with AWS Lambda
Serverless computing with AWS Lambda Apigee | Google Cloud
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안BESPIN GLOBAL
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 

What's hot (20)

Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS SummitAWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
AWS Networking Fundamentals - SVC304 - Anaheim AWS Summit
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
Serverless computing with AWS Lambda
Serverless computing with AWS Lambda Serverless computing with AWS Lambda
Serverless computing with AWS Lambda
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
[AWS & 베스핀글로벌, 바이오∙헬스케어∙제약사를 위한 세미나] AWS 클라우드 보안
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and Uses
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
 
Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and Serverless
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECS
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 

Similar to AWS IAM policies in plain english

best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalorerajkamal560066
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control PoliciesAmazon Web Services
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services SecurityJason Chan
 
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...Ortus Solutions, Corp
 
Development in the could: How do we do it(Cloud computing. Microservices. Faas)
Development in the could: How do we do it(Cloud computing. Microservices. Faas)Development in the could: How do we do it(Cloud computing. Microservices. Faas)
Development in the could: How do we do it(Cloud computing. Microservices. Faas)Preply.com
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityAmazon Web Services
 
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or LessAmazon Web Services
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
 
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San Francisco
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San FranciscoDeep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San Francisco
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San FranciscoAmazon Web Services
 
IaaS with ARM templates for Azure
IaaS with ARM templates for AzureIaaS with ARM templates for Azure
IaaS with ARM templates for AzureChristoffer Noring
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
Getting Started with AWS IoT - IOT203 - re:Invent 2017
Getting Started with AWS IoT - IOT203 - re:Invent 2017Getting Started with AWS IoT - IOT203 - re:Invent 2017
Getting Started with AWS IoT - IOT203 - re:Invent 2017Amazon Web Services
 
IOT203_Getting Started with AWS IoT
IOT203_Getting Started with AWS IoTIOT203_Getting Started with AWS IoT
IOT203_Getting Started with AWS IoTAmazon Web Services
 
Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteAtlassian
 

Similar to AWS IAM policies in plain english (20)

best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalore
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
Amazon Web Services Security
Amazon Web Services SecurityAmazon Web Services Security
Amazon Web Services Security
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...
ITB2019 Build Fine-Grained Control of Amazon Web Services in Your CFML App - ...
 
Development in the could: How do we do it(Cloud computing. Microservices. Faas)
Development in the could: How do we do it(Cloud computing. Microservices. Faas)Development in the could: How do we do it(Cloud computing. Microservices. Faas)
Development in the could: How do we do it(Cloud computing. Microservices. Faas)
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information Security
 
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
 
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San Francisco
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San FranciscoDeep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San Francisco
Deep Dive into AWS SAM: re:Invent 2018 Recap at the AWS Loft - San Francisco
 
IaaS with ARM templates for Azure
IaaS with ARM templates for AzureIaaS with ARM templates for Azure
IaaS with ARM templates for Azure
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
Becoming an IAM Policy Ninja
Becoming an IAM Policy NinjaBecoming an IAM Policy Ninja
Becoming an IAM Policy Ninja
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
Getting Started with AWS IoT - IOT203 - re:Invent 2017
Getting Started with AWS IoT - IOT203 - re:Invent 2017Getting Started with AWS IoT - IOT203 - re:Invent 2017
Getting Started with AWS IoT - IOT203 - re:Invent 2017
 
IOT203_Getting Started with AWS IoT
IOT203_Getting Started with AWS IoTIOT203_Getting Started with AWS IoT
IOT203_Getting Started with AWS IoT
 
Integrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code SuiteIntegrating Jira Software Cloud With the AWS Code Suite
Integrating Jira Software Cloud With the AWS Code Suite
 

Recently uploaded

power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and usesDevarapalliHaritha
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 

Recently uploaded (20)

power system scada applications and uses
power system scada applications and usespower system scada applications and uses
power system scada applications and uses
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 

AWS IAM policies in plain english

  • 1. AWS IAM Policies in plain English Bogdan Naydenov Part of AWS All Stars Certified Elite, 16 May 2017 #AWSBulgaria User Group
  • 2. Who am I Bogdan Naydenov AWS All 5 AWS Certificates holder currently Architect at Progress Software - Platform DevOps team Mostly Operational background with more than 19 years of IT experience https://www.linkedin.com/in/bnaydenov @BobbyNaydenov
  • 3. Overview In the beginning... there is the natural, general flow of working with IAM policies ● develop app feature ● deploy to AWS ● realize you need IAM ● get overwhelmed by docs ● begin copy and pasting example policies to fit your app ● bashing your head and fingers against the keyboard until it works
  • 4. Simple Policy { "Version": "2012-10-17", "Id": "some-unique-id", "Statement": { "Sid": "1", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}, "Action": [ "s3:PutObject", "s3:Get*" ], "Resource": "arn:aws:s3:::s3-bucket_name/*", "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } } } }
  • 5. What is an AWS IAM Policy? “A set of rules that, under the correct conditions, define what actions the policy principal or holder can take to specified AWS resources.”
  • 6. How about this in plain English? Who can do what to which resources. When do we care?
  • 7. The "Who"? "Who" is trying to do stuff? This can be a User, Groups of users and "roles." The first two are self-explanatory. The last one “roles” is just allows us to let other things, like EC2 servers, become the "Who”. (We can also allow for federated users to be the "who" but we won't dive into that.) "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}
  • 8. The "Who" aka Principal? For IAM Users and Roles, we just grab its ARN (found in the IAM console or returned in the CLI) and follow the format of: "Principal": {"AWS": "<ARN OF YOUR IAM USER OR ROLE BUT NOT GROUPS>"} "Principal": { "AWS" : "arn:aws:iam::111222333444:user/naydenov" } "Principal": { "Service": "ec2.amazonaws.com" }
  • 9. NOW. HUGE Gotcha? If we're making and attaching policies to IAM users, groups and roles, the principal (or Who) isn't needed. That's because when you attach a policy to an IAM user for example, the policy assumes that the user who we've attached the policy to is the principal.
  • 10. The "Who" Users vs The "Who"Resources? What's the difference between attaching a policy to an IAM user vs a resource like an S3 bucket? If the policy is attached to the user, group or role it's like a permission slip. If it's attached to the resource, it's like a VIP list.
  • 11. AWS Roles and Principals? Even though IAM users and groups imply a "who" on their permission policy, IAM roles do so only after we've specified the who via a "Trust Policy." Therefore, when creating a role we have to pass it these two separate policy documents: 1) The "Trust Policy" is a policy that does nothing more than state "who" can assume this role. Yes, they look exactly like normal policies. 2) The Permissions Policy is just what we've shown so far. "What" actions can the owner of this role take to "which" resources?
  • 12. AWS Roles and Principals? IF we're creating IAM roles in the console, guess what? We don't really worry about the first policy. Instead, when creating a role we select a service that will serve as the who: This sets up that first "trust policy" document for us. Then we attach a policy to the role like we would a user or group.
  • 13. AWS Roles and Principals? For the CLI (or CloudFormation, Terraform) however, we have to do both steps. Let's say we want to create a role for AWS CodePipeline. To do so we first need to create the role with the following "trust policy": { "Version":"2012-10-17", "Statement": { "Effect":"Allow", "Principal": { "Service": "codepipeline.amazonaws.com" }, "Action":"sts:AssumeRole" } }
  • 14. AWS Roles and Principals? aws iam create-role --role-name CodePipelineExampleRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Principal":{"Service":"codepipeline.amazonaws.com" },"Action":"sts:AssumeRole"}}' aws iam put-role-policy --role-name CodePipelineExampleRole --policy-name CodePipelineExamplePolicy --policy-document file://some-policy.json
  • 15. The "What"? "What" actions can the "Who" take? Run EC2 instances? Put objects to S3? Put logs to cloud watch? "Action": [ "s3:PutObject", "s3:Get*" ]
  • 16. The "What"? The format of action is a string or array of actions that take the format of: <service>:<action in service> If unsure of what the needs are and have a safe AWS development environment, keep the actions general (via the wildcard * operator) and then cherry pick the ones you need when the service is fully built. "s3:Get*" List of all actions by services
  • 17. The "Which"? "What" actions can the "Who" take on "Which" resources? So the "Who" can put and get objects to S3? But to which S3 buckets? All of them? Only ones in us-east-1? "Resource": "arn:aws:s3:::s3-bucket_name/*"
  • 18. The "Which"? Quick aside - the anatomy of an ARN, Amazon Resource Name, is as follows arn:aws:[service]:[region]:[account]:resourceType/resourcePath { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::s3-bucket/${aws:username}/*" } ] }
  • 19. The "Which"? The ${aws:username}, and all policy variables, are data that are sent up with requests. There's a variety of them like aws:CurrentTime or aws:SourceIp. A full list is here: Policy Variables List A note on resource in context of S3. IAM policies can imply the "who" or the prinicpal when we attach a policy to them. One might think that a bucket would imply the resource be itself. However, it doesn't. When attaching a policy to an S3 bucket (aka bucket policy), we must still specify the resource, which is always the S3 bucket optionally followed by nested folders/objects within.
  • 20. The "When"? "When do we care? If the IP matches a certain range of IPs? If the date-time is before a particular day? If the AWS user's username includes the given string? "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } }
  • 21. The "When"? "When" can our Prinicpal take actions on a resource? When conditions permit. In plain english: "Condition": { "<What's the comparison we're making?>": { "<Value being passed in the request>": "<Value to compare against>" } }
  • 22. The When? "Resource": "arn:aws:s3:::s3-bucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "123.123.123.123/32" }, "DateGreaterThan": { "aws:CurrentTime": "2017-05-15T00:00:00Z" } }
  • 23. The When? Condition Operators What comparison are we making? A string comparison? An IP comparison? A username comparison? Each of these have a special operator. The condition operators in previous example are IpAddress and DateGreaterThan. A list of condition operators to be used can be found here.
  • 24. The When? Condition Keys These are the AWS ready values about the current request trying to pass the policy. When a request comes through, AWS makes a variety of these "keys" available for use within our policies. We saw two above aws:SourceIp and aws:CurrentTime - and as mentioned in the Resource section, these are also known as Policy Variables Link to AWS Global Condition Keys
  • 25. The When? Condition Values This is simply the value that we're looking to compare against. So in this example: The only real note here is that within these values we can also use Policy Variables, the wildcard character (*) to denote any string and the question mark (?) to denote any one character. { "Condition": { "ArnEquals": { "ec2:Vpc": "arn:aws:ec2:us-east-?::vpc/*" }, "StringLike": { "ec2:ResourceTag/name": "*-${aws:username}" } } }
  • 26. The When? Or this one { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-east-1" }, "ArnEquals": { "ec2:Vpc": "ARN of VPC" } } } ] }
  • 27. `Not` Versions of Policies Resource, Action and Principal have a reverse: NotResource NotAction NotPrincipal As you might suspect, they just specify what it does NOT apply to !!! just stick with positives if possible.
  • 28. Explained - Simple Policy { "Version": "2012-10-17", "Id": "some-unique-id", "Statement": { "Sid": "1", "Effect": "Allow", Who "Principal": {"AWS": "arn:aws:iam::111222333444:user/naydenov"}, What "Action": [ "s3:PutObject", "s3:Get*" ], Which "Resource": "arn:aws:s3:::s3-bucket_name/*", When "Condition": { "DateGreaterThan": { "aws:CurrentTime": "2017-05-17T00:00:00Z" } } } }
  • 29. ReCap An IAM policy: A set of rules that, under the correct conditions, define what actions the policy principal or holder can take to specified AWS resources. Or more simply put: Who can do what to which resources. When do we care?
  • 30. Using Policies ● create the policy ● attach it to a user, group, role or resource. For IAM Users, Groups and Roles, you'll create your policy and then simply attach it to one of the three. The CLI experience obviously requires some different steps, but the concept is still same. For Resources like S3 Buckets, you'll directly attach policies generally in that service's API or console interface.
  • 31. Final Thoughts “begin with the end in mind” Literally ask yourself and team: Who can do what to which resources. When do we care?
  • 32. List of all actions by services Policy Variables List A list of condition operators to be used can be found here Link to AWS Global Condition Keys Resources used