This document provides an overview of becoming an expert at using IAM policies to control access to AWS resources. It discusses the key components of IAM policies including principals, actions, resources, and conditions. It also covers best practices for authoring, testing, and debugging policies. The document demonstrates how to create a policy that allows launching EC2 instances in specific regions and of specific types. It also shows how to decode the EC2 authorization message to help debug access issues.
1. Becoming an IAM Policy Ninja
Greg McConnel,
Solutions Architect
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
2. What to expect from the session
• Knowledge of how to better control access to AWS
resources.
• A deeper understanding of the AWS policy language.
• Tips for avoiding common mistakes.
3. Your first day as an IAM administrator
• Scenario: A user at your company has overly permissive Amazon EC2
privileges. He keeps launching unnecessarily large instance types in a bunch of
different regions.
• Goal: Create a new policy that allows him to launch EC2 instances, but only
• specific types: t2.* & m4.*
• and specific regions: us-west-2 & us-east-1
4.
5.
6. Identity-based
Permissions
Different Types of Policies/Permissions
Resource-based
Permissions
Resource-level
Permissions
user group
role
Trust
Policies
Amazon
SNS Amazon
SQS
Amazon
Glacier Amazon
S3
“Resource”: “arn:aws:s3:::bucket”
vs
“Resource”: “*”
AWSKMS
Tag-based
Permissions
“Condition”: { “StringEquals”: {
“ec2:ResourceTag/Owner”:
“${aws:username}”}}
7. Different Types of Policies/Permissions
Best resource to sort all this out:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Or
Google “IAM services work”
Specifically for EC2: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-
ec2.html
8. Different types of Identity-based Policies
• Inline policies (the older way)
– You create and embed directly in a single user, group, or role
– Variable policy size (2K per user, 5K per group, 10K per role)
• Managed policies (newer way)
– Can be attached to multiple users, groups, and roles
– AWS managed policies (created and managed by AWS)
– Customer managed policies (created and managed by you)
• Up to 5K per policy
• Up to 5 versions
– You can limit who can attach managed policies
9. Protection from mistakes
• Policy:
• Deny delete of DynamoDB tables for all users
• Allow delete of DynamoDB tables that start with
the word “score” via a role that requires MFA and
external ID
• Delete through switch role in the console
• Delete through CLI
• An alternative option is to require MFA on the user
and group for deletes
Demo
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
https://aws.amazon.com/blogs/database/preventing-accidental-table-deletion-in-dynamodb/
11. The policy language
• Defines Who can do What to Which and When
• Two parts:
–Specification: Defining access policies
–Enforcement: Evaluating policies
15. Action (WHAT) – Examples
• Describes What you can and cannot do
• You can find actions in the docs or use the policy editor to get a drop-down list
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update-->
"Action":"iam:*AccessKey*"
Principal
Action
Resource
Condition
16. Understanding NotAction
• Lets you specify an exception to a list of actions
• Could result in shorter policies than using Action and exclude many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not a Deny. A user could still have a
separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit Deny.
Is there a
difference?
17. You can use Not for Resources and Principals too
18. Resource (WHICH) – Examples
• Which objects are impacted by the permission
• Statements must include either a Resource or a NotResource element
arn:aws:service:region:account-id:resource
arn:aws:service:region:account-id:resourcetype/resource
arn:aws:service:region:account-id:resourcetype:resource
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
Replace
with your
account
number
19. Condition (WHEN) example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
• Allows a user to access a resource under the following conditions:
• The time is after 11:00 A.M. on 01/01/2017 AND
• The time is before 3:00 P.M. on 12/31/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range
• All of these conditions must be met in order for the statement to evaluate to TRUE.
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition• When does the permission get applied
20. Take advantage of IfExists conditional operator
• Many condition keys only exist for certain resource types.
• If you test for a nonexistent key, your policy will fail to evaluate (in other words,
access denied).
• You can add IfExists at the end of any condition operator except the Null
condition (for example, StringLikeIfExists).
• Allows you to create policies that “don’t care” if the key is not present.
21. Principal (WHO) – Examples
•
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Principal
Action
Resource
Condition
22. Principal (WHO) – Examples
•
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number
Principal
Action
Resource
Condition
23. Mixing things up
• Role: No permissions (also it is very insecure and
is just for demo purposes – don’t try this at home!)
• Assume role, then read out the phrase in the file
“readme” in bucket nyloftdemo
• Account ID: 536768756927
• Role Name: nyloftdemo
• Bucket Name: nyloftdemo
• File: readme
Group
Demo
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
25. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":
{"StringLike":
{"s3:prefix":["home/${aws:username}/*"]}
}
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
"arn:aws:s3:::myBucket/home/${aws:username}/*"]
}
]
}
The anatomy of a policy with variables
Grants a user access to a home directory in S3 that can be accessed programmatically
26. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":
{"StringLike":
{"s3:prefix":["home/${aws:username}/*"]}
}
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
"arn:aws:s3:::myBucket/home/${aws:username}/*"]
}
]
}
The anatomy of a policy with variables
Grants a user access to a home directory in S3 that can be accessed programmatically
Version is required
Variable in conditions
Variable in resource ARNs
27. Mixing things up
• What is the Phrase?
• Questions
• Where is the permission to view the bucket and
open the file come from?
Group
Demo
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
29. Policy enforcement
• Remember policies can come from multiple places
• IAM users, roles and groups
• AWS resources (Amazon S3, Amazon SQS, Amazon SNS and
Amazon Glacier)
• Passed through federated user calls
• Well defined evaluation logic
• All requests denied by default
• Explicit Deny trump Allow
• Permissions are the union of all policies
30. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
No Final decision =“Deny”
(default Deny)
5
• AWS retrieves all policies
associated with the user and
resource.
• Only policies that match the action
and conditions are evaluated.
• If a policy statement
has a Deny, it
trumps all other
policy statements.
• Access is granted
if there is an
explicit Allow and
no Deny.
• By default, an
implicit (default)
Deny is returned.
31. Testing and Debugging
• Authoring – Policy Editor and Policy Generator
• Testing – Policy Simulator
• Debugging – Encoded Authorization Message – for EC2
37. Decoding the EC2 Authorization message
• Additional information about the
authorization status of a request
• The decoded message includes:
– Whether the request was denied due to
an explicit deny or absence of an explicit
allow.
– The principal who made the request.
– The requested action.
– The requested resource.
– The values of condition keys in the
context of the user's request.
The message is encoded because the details of the
authorization status can constitute privileged
information!
Launch Failed
You are not authorized to perform this operation. Encoded authorization
failure message: -VfI1U7UrRUcnnquJI-
_e0M8S92blCJyHwP7WFGG6ywdmofrR4VTe9i_ypEEZtD1jmgBQwTbpZX8
v6rB3e2h_-
EqsrvbjwKJ4ibYFYNmuMWU2ErOTOHHHQzwxlRxFpdP43IUP8zt6HT6b9t
uWXaCgaJeG3kZdcO6VRqjx_zr4gc9v51W1OVCU-
g94xuhPohfH9kCapGL82wamnjyfPDXCnWS26lKPx90FwZf9ALab5z2OKrzv
q5YMY7-
VgNPDfNxHCPZgFRaoVwZYBDJsiR4HQKHJxUE0KfroAPaTPzGajTWeKN
5OCRwogOrW8J5Q9XA2dQH3W8yTz9EHqo-nv8jRp-
EAzAUMaq28q92SfENj_gDCZ7KnJ217Ec-Ne-RLao_bmHNB7819Y_H-
WhFV3mXQAe76v5Dy6so9qx0-
x9RBy_sekHPjiMZ7z9QVIDQs0N3bUgBrGVCsbG5XxTb7oSI29JjpHmrr2Y
OG-
YJPHfeYsaoUget3jXYPRH8REX0MZv5I3OFrGVXk2nr2af3OIralo5gqFOIUA
YaEBT0z0SMnxq9oZKKonvEMA
38. Steps to Decode
• Use the decode-authorization command
– aws sts decode-authorization-message –encoded-message
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-west-2:185106362262:key-pair/work-aws-account-pdx",
"conditions": {"items": [{"key": "ec2:Region","values": {"items": [{"value": "us-west-2“}] } } ]}
Great reference: https://iam.cloudonaut.io/reference/ec2.html
39. Demo: Controlling access to EC2
• Goal: Create a policy that allows users to control EC2 instances, but:
• Only launch instances of specific types.
• Only launch instances in two specific regions.
• We’ll examine how to:
• Create an managed policy.
• Enable users to access the EC2 console.
• Use policy conditions to limit the users to the specified types and regions.