🆕 Video Course Out Now: Rapid Docker on AWS

Complete AWS IAM Reference

Michael Wittig – 18 Aug 2016

Writing IAM policies is hard. Following the principle of least privilege is even harder. To write a secure IAM policy you need to know:

  • What actions are needed?
  • Are resource-level permissions supported and on what levels?
  • Are conditions supported to restrict access?

That’s a lot of stuff and the information is spread all across the AWS documentation. That’s why we created the Complete AWS IAM Reference.

Example

For example, you want to allow the launch of new EC2 instances.

First you need to find out what action is needed. You can use the Complete AWS IAM Reference to search for launch in the description field. Now you know, that the action is called ec2:RunInstances .

Cover of Amazon Web Services in Action

Level up, strengthen your AWS skills.

Our book Amazon Web Services in Action is a comprehensive introduction to computing, storing, and networking in the AWS cloud. You'll find clear, relevant coverage of all the essential AWS services, emphasizing best practices for security, high availability, and scalability. Get the first chapter for free!

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}

Now you can restrict access further. What options do you have? The Complete AWS IAM Reference shows you that you can use many resource-level permissions. For example, you can restrict that it is only allowed to use a certain AMI like Amazon Linux 2016.03.3 (64bit, gp2).

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/ami-6869aa05",
"arn:aws:ec2:us-east-1:$account-id:instance/*",
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
]
}
]
}

You can take it even further. The Complete AWS IAM Reference shows that you can use a condition to restrict based on instance type. To save money in your dev account you may only allow t2.micro instances.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:$account-id:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}, {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/ami-6869aa05",
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
]
}
]
}

Keep in mind that different resource-level permissions support different service specific conditions. That’s why the following policy is not working:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1:$account-id:instance/*"
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}

Summary

For every AWS service, different actions are available. Depending on the action you can use resource-level permissions and sometimes also conditions. The Complete AWS IAM Reference collects all that information and makes it accessible to you.

Tags: aws security iam
Michael Wittig

Michael Wittig

I’m an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I’m writing this blog and all other projects together with my brother Andreas.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me