👉 AWS Debug Games (Beta) - Prove your AWS expertise by solving tricky challenges.

👉 AWS Debug Games - Prove your AWS expertise.

Complete AWS IAM Reference

Michael Wittig – 18 Aug 2016

Writing IAM policies is hard. Following the principle of least privilege is even harder. To write a secure IAM policy you need to know:

  • What actions are needed?
  • Are resource-level permissions supported and on what levels?
  • Are conditions supported to restrict access?

That’s a lot of stuff and the information is spread all across the AWS documentation. That’s why we created the Complete AWS IAM Reference.

Example

For example, you want to allow the launch of new EC2 instances.

First you need to find out what action is needed. You can use the Complete AWS IAM Reference to search for launch in the description field. Now you know, that the action is called ec2:RunInstances .


Looking for a new challenge?

  • DEMICON

    Cloud Operations Lead

    DEMICON • AWS Advanced Consulting Partner • Remote (Europe)
    service-delivery-management hiring devops platform

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}

Now you can restrict access further. What options do you have? The Complete AWS IAM Reference shows you that you can use many resource-level permissions. For example, you can restrict that it is only allowed to use a certain AMI like Amazon Linux 2016.03.3 (64bit, gp2).

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/ami-6869aa05",
"arn:aws:ec2:us-east-1:$account-id:instance/*",
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
]
}
]
}

You can take it even further. The Complete AWS IAM Reference shows that you can use a condition to restrict based on instance type. To save money in your dev account you may only allow t2.micro instances.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:$account-id:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}, {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/ami-6869aa05",
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
]
}
]
}

Keep in mind that different resource-level permissions support different service specific conditions. That’s why the following policy is not working:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1::image/*",
"arn:aws:ec2:us-east-1:$account-id:instance/*"
"arn:aws:ec2:us-east-1:$account-id:key-pair/*",
"arn:aws:ec2:us-east-1:$account-id:network-interface/*",
"arn:aws:ec2:us-east-1:$account-id:placement-group/*",
"arn:aws:ec2:us-east-1:$account-id:security-group/*",
"arn:aws:ec2:us-east-1::snapshot/*",
"arn:aws:ec2:us-east-1:$account-id:subnet/*",
"arn:aws:ec2:us-east-1:$account-id:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}

Summary

For every AWS service, different actions are available. Depending on the action you can use resource-level permissions and sometimes also conditions. The Complete AWS IAM Reference collects all that information and makes it accessible to you.

Become a cloudonaut supporter

Michael Wittig

Michael Wittig ( Email Twitter LinkedIn Mastodon )

We launched the cloudonaut blog in 2015. Since then, we have published 365 articles, 68 podcast episodes, and 68 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, Christopher Hipwell, Jason Yorty, Jeff Finley, jhoadley, Johannes Konings, John Culkin, Jonathan Deamer, Juraj Martinka, Ken Snyder, Markus Ellers, Oriol Rodriguez, Ross Mohan, sam onaga, Satyendra Sharma, Simon Devlin, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.