Sunday, June 25, 2017

AWS : IAM : Policy

Policy is made up of
  1. Effect :  Allow & Deny
  2. Actions :   Ex : createBucket ( v v fine grained)
  3. Resource :    Like S3 , EC2 , DynamoDB etc
  4. Conditions :   If any like start time etc

Example ....


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:dynamodb:us-west-2:23534566:table/Sales",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "application-autoscaling.amazonaws.com"
                }
            }
        }
    ]
}

Policy can be attached to
  1. Users
  2. Groups 
  3. or Roles.
Example : http://serverfault.com/questions/589150/is-it-possible-to-restrict-aws-users-accounts-to-a-specific-region
Ques : We always keep our resources in Region1 (non default), but users when launching instances often launch in Region2(default region) and its un-necessary cost. Is there a way to restrict it ? (Aug 15)
Ans : Not in global way , but specific services yes

{
"Statement": [
    {
        "Sid": "Stmt1375943389569",
        "Action": "ec2:*", "Action":"RunInstances",
        "Effect": "Allow",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:Region": "eu-central-1"
            }     
}    }  ]
}

Process of Evaluating Policy
  1. Evaluate all applicable policies
  2. Is there an explicit Deny ?
    1. YES : deny it
    2. NO
      1. Is there an explicit allow
        1. YES  : ok allow it
        2. NO : By default everything is implicit deny
  3. Much like a firewall
Ques : If i have a policy that has both allow and deny which one takes precedence ?
Ans : always deny. (based on above algo )

Types of Policies
  1. Managed : its a standalone object 
    • AWS 
    • or Customer Managed
  2. Inline : tied to objects





Ques : When will i want to use ‘Inline Policy’
Ans : to handle one off case : for example ... a developer who creates many AWS resources … and costs company some extra money. so you want to restrict ONLY that developer.

Inline policies , can be assigned to (at time of creation)
  • Groups
  • Users
  • Roles
Please note if i assign that policy to role , and role is deleted so is inline policy. 

Policy Versioning
Its automatic you dont have to do anything to enable it
As the screen shot says you can have maximum 5 policy version


you can also delete policy versions




Policy Simulator
Good way to test policy before putting in production.
Ex: you want to test if a policy deletes s3 bucket , i could actually write a script that test deletion on a existing (or test) bucket, but this is a much cleaner way.

If we really want we could test scenario : of testing it on combination of policies.

  1. goto https://policysim.aws.amazon.com
  2. login to aws console
  3. choose user , group or role
  4. clear the box next to each policy that you want to exclude from testing
  5. User policy simulator select services & action
  6. in global setting section enter the condtion
  7. Select Run Simulator







After clicking on user on LHS , we see corresponding policies … each one having a checkbox … we can then choose which ‘combination’ of policies we want to use for simulation testing.