If you have ever wondered how best to scope down permissions in your account, this in-depth look at the AWS Access Control Policy language is for you. We start with the basics of the policy language and how to create policies for users and groups. We look at how to use policy variables to simplify policy management. Finally, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket, allowing an IAM user to manage their own credentials and passwords, and more.

3. Demo

5. Amazon S3 Read-Only Access Template
Example of an IAM user/group/role access policy
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "*"
}
]
}

6. {
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
Principal
Action
Resource
Conditions
Effect: Allow
Principal:123456789012:user/bob
Action: s3:*
Resource: jeff_bucket/*
Condition: Referer= example.com
Effect: Deny
Principal:123456789012:user/brad
Action: s3:DeleteBucket
Resource: jeff_bucket
Condition: Referer= example.com

7. <!--Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!--Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!--Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!--Federated user (using web identity federation) -->
"Principal":{"Federated":"www.amazon.com"}
"Principal":{"Federated":"graph.facebook.com"}
"Principal":{"Federated":"accounts.google.com"}
<!--Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!--Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace with your account number

8. <!--EC2 action -->
"Action":"ec2:StartInstances"
<!--IAM action -->
"Action":"iam:ChangePassword"
<!--S3 action -->
"Action":"s3:GetObject"
<!--Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update-->
"Action":"iam:*AccessKey*"

9. {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not a Deny. A user could still have a separate policy that grants IAM:*
If you want to prevent the user from ever being able to call IAM APIs, use an explicit deny
Notice the difference?

10. {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
Even more strict
Grants only what you want while ensuring you’re always denying what you don’t want granted.

11. <--S3 Bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<--SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<--Multiple DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<--All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"

12. {
"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {"AWS": "111122223333"},
"Action": "sqs:SendMessage",
"Resource":
"arn:aws:sqs:us-east-1:444455556666:queue1"
}
}
Principal required here

13. Condition Element
Condition 1:
Key1: Value1A
Condition 2:
Key3: Value3A
AND
AND
Key2: Value2A ORValue2B
OR
OR
Value1B Value 1C

14. "Condition" : {
"DateGreaterThan" : {"aws:CurrentTime" : "2014-11-13T12:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2014-11-13T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
•The time is after 12:00 p.m. on 11/13/2014
•The time is before 3:00 p.m. on 11/13/2014
•The request comes from an IP address in the 192.0.2.0 /24 or 203.0.113.0 /24 range
AND
OR

16. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":
{"StringLike":
{"s3:prefix":["home/${aws:userid}/*"]}
}
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource": ["arn:aws:s3:::myBucket/home/${aws:userid}",
"arn:aws:s3:::myBucket/home/${aws:userid}/*"]
}
]
}
Version is required
Variable in conditions
Variable in resource ARNs
Grants a user access to a home directory in Amazon S3 that can be accessed programmatically

17. Giving a User a Home Directory From the Amazon
S3 Console
{
"Version": "2012-10-17",
"Statement": [
{"Sid": "AllowGroupToSeeBucketListInTheManagementConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]},
{"Sid": "AllowRootLevelListingOfThisBucketAndHomePrefix",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}},
{"Sid": "AllowListBucketofASpecificUserPrefix",
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}},
{"Sid":"AllowUserFullAccesstoJustSpecificUserPrefix",
"Action":["s3:*"],
"Effect":"Allow",
"Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
"arn:aws:s3:::myBucket/home/${aws:username}/*"]}
]
}
Necessary to
access the
Amazon S3 console
Allows listing all
objects in a folder +
its subfolders
Allows modifying
objects in the folder
+ subfolders

18. Demo

19. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "ViewListOfAllUsers",
"Action": ["iam:ListUsers"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/*"]
},
{
"Sid": "AllowUserToSeeListOfOwnStuff",
"Action": ["iam:GetUser","iam:GetLoginProfile",
"iam:ListGroupsForUser","iam:ListAccessKeys"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/${aws:username}"]
}
]
}
•Underneath the covers, the IAM console calls these APIs
•Keep in mind the user will be able to viewlimited details about all users
•The IAM user will not be able to modify the other IAM users’ settings
•Alternatively, use the CLI

20. {
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:*AccessKey*","iam:*SigningCertificate*"],
"Effect": "Allow",
"Resource": ["arn:aws:iam::123456789012:user/${aws:username}"]
}
]
}

21. {
"Version": "2012-10-17",
"Statement": [
{
"Action": ["iam:CreateVirtualMFADevice","iam:DeleteVirtualMFADevice"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:mfa/${aws:username}"
},
{
"Action": ["iam:DeactivateMFADevice", "iam:EnableMFADevice",
"iam:ListMFADevices", "iam:ResyncMFADevice"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:user/${aws:username}"
},
{
"Action": ["iam:ListVirtualMFADevices"],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:mfa/*"
}
]
}

22. Demo

24. {
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":"*"
}
]
}
Tell me there is a better way.

25. {
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":
"arn:aws:ec2:us-east-1:123456789012:instance/i-abc12345"
}
]
}

26. {
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":
"arn:aws:ec2:us-east-1:123456789012:instance/*"
}
]
}

27. {
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource":
"arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/department": "dev"}
}
}
]
}

28. •Customer gateway
•DHCP options set
•Image
•Instance
•Instance profile
•Internet gateway
•Key pair
•Network ACL
•Network interface
•Placement group
•Route table
•Security group
•Snapshot
•Subnet
•Volume
•VPC
•VPC peering connection
Supports many different resource types, including:

29. Type of Resource
Actions
EC2 Instances
RebootInstances,RunInstance, StartInstances, StopInstances, TerminateInstances
Customer gateway
DeleteCustomerGateway
DHCP Options Sets
DeleteDhcpOptions
Internet Gateways
DeleteInternetGateway
Network ACLs
DeleteNetworkAcl, DeleteNetworkAclEntry
Route Tables
DeleteRoute, DeleteRouteTable
Security Groups
AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress,
DeleteSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress
Volumes
AttachVolume, DeleteVolume, DetachVolume
VPC Peering Connections
AcceptVpcPeeringConnection, CreateVpcPeeringConnection, DeleteVpcPeeringConnection, RejectVpcPeeringConnection
Accurate as of 11/13/2014
Note: This is only a subsetof all possible Amazon EC2 actions

31. Demo

32. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "THISALLOWSEC2READACCESS",
"Effect": "Allow",
"Action": ["ec2:Describe*","elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics","cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*","autoscaling:Describe*"],
"Resource": "*"
},
{
"Sid": "THISLIMITSACCESSTOOWNINSTANCES",
"Effect": "Allow",
"Action": ["ec2:RebootInstances","ec2:StartInstances",
"ec2:StopInstances","ec2:TerminateInstances"],
"Resource":"arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {"StringEquals":
{"ec2:ResourceTag/Owner": "${aws:username}"}}
}
]
}
Version is required here because we’re using variables
Only allowed if this tag condition is true
Use a variable for the owner tag
Allows seeing everything from the Amazon EC2 console.

33. Ready for a quiz?

34. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SorryThisIsNotGoingToWorkAsExpected",
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
Why doesn’t this work?
Problem: Not all Amazon EC2 actions support resource-level permissions

35. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Thiswillwork",
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": "*"
}
]
}
Solution: Change the resource to *

36. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThisWillNotWork",
"Effect": "Allow",
"Action": [
"ec2:RunInstances","ec2:TerminateInstances",
"ec2:StopInstances","ec2:StartInstances",
"ec2:Describe*"
],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
Why doesn’t this work?
Problem: None of the ec2:Describe* actions support resource-level permissions

37. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances","ec2:TerminateInstances",
"ec2:StopInstances","ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
Solution: Put ec2:Describe* into a separate block.

38. {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances","ec2:TerminateInstances",
"ec2:StopInstances","ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
}
So will this work now?
No

39. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:Describe*"],
"Resource": "*"},
{
"Sid": "ThisActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:us-east-1:accountid:instance/*",
"arn:aws:ec2:us-east-1:accountid:key-pair/*",
"arn:aws:ec2:us-east-1:accountid:security-group/*",
"arn:aws:ec2:us-east-1:accountid:volume/*",
"arn:aws:ec2:us-east-1::image/ami-*"]},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"],
"Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
}
]
To run an EC2 instance, you also need access to an Amazon EC2 key pair, a security group, an EBS volume, and an AMI
.

41. Final decision =“deny”
(explicit deny)
Yes
Final decision =“allow”
Yes
No
Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
Applicable
policies
2
Is there an
explicit
deny?
3
No
Final decision =“deny”
(default deny)
5
•AWS retrieves all policies associated with the user and resource
•Only policies that match the action & conditions are evaluated
•If a policy statement has a deny, it trumps all other policy statements
•Access is granted if there is an explicit allow and no deny
•By default, a implicit (default) deny is returned

43. http://aws.amazon.com/documentation/iam/ http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api- permissions.htmlDemystifying- EC2-Resource-Level-PermissionsGranting-Users-Permission-to-Work-in-the-Amazon-EC2-Consolehttp://aws.amazon.com/iamhttps://forums.aws.amazon.com/forum.jspa?forumID=76

44. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals