DEV Community

Restricting access through IAM policies

Introduction :

Goal :

  • To understand principle of least privilege.
  • Understand IAM Policies and demonstrate how to create Customer Managed Policies for specific use cases.

Pre-requisites :

  1. AWS IAM account (do not use root account) having:
    • admin privileges
    • access to AWS Management Console
  2. Another AWS IAM account without any permissions assigned
  3. Understanding of AWS Identity based policies

In case you are not familiar with IAM Policies or need a quick refresher, please refer my blog

Cost :

  • None (if you have an AWS free-tier eligible account)

Implementing IAM Policies

  1. Login to your AWS Management Console and navigate to IAM. This will take you to the IAM dashboard.

access IAM

  1. Click on Policies
    policies

  2. Click Create Policy
    create_policy

  3. Create the desired policy and attach it to an IAM user or IAM group.

AWS Management Console allows policy creation in two ways:
i. Using a visual editor
ii. Typing the policy directly in JSON format
In this blog we will be demonstrating both the mechanisms.

Scenario 1 : Restrict read-only access to a single service

Say, we want to grant read-only access to some S3 resources.

User (or group of users) should only be able to list all buckets but read the objects only for test S3 buckets.

Let's create an IAM Policy for this, using the visual editor.

create_s3_policy

1.1. Select S3 from the dropdown
s3

1.2 From List select Listbucket

1.3 Similarly, from the Read options select GetObject and GetBucketLocations

getobject

  • GetBucketLocations is required to list the buckets.
  • GetObject enables us to read the objects in a bucket

1.3 Next, we need to specify the resource (in this case S3 Bucket) the GetObject action applies to. We have the option to either enable the action for all S3 buckets available in our account, or limit to a bucket (or list of buckets)

configure

Note: It is an AWS best practice to follow the Principle of least privilege, meaning grant access only where its needed.

In our demo we will be restricting object read access for all buckets whose name start with test

enter_bucket

bucket_1

bucket_2

Scroll back up and from the List dropdown, select ListAllMyBuckets

list_all_buckets

1.4 Click Next
next

1.5 At the next screen, provide the policy a meaningful name and description.
policy_name

meaningful_name

1.6 Review the policy details and click Create Policy
create_policy

Well done! you have created your first customer managed policy

policy_created

This Policy can now be attached to any IAM user or IAM group.

1.7 Let's test if our newly created policy does what it is supposed to do, by attaching it to a test IAM user.

attach_policy

1.8 Login to the AWS Management console as your test user and navigate to S3.

Hooray! We are able to see some buckets!

bucket

Let's see if we are able to view the objects in our test bucket.

test_bucket_object

Yaay! looking good so far!

Now let's check if we are able to list objects in some other bucket.
Do you think we will be able to do so?
think for a second, then scroll down to check if you guessed it correctly.

We are not able to list the objects only in the "test" buckets. Attempting to do so on any other bucket will result in an error.

access_blocked

Scenario 2 : Restrict access to a particular AWS region

In this scenario we will be restricting the user's access to one specific AWS region eu-central-1

2.1 As done in secnario-1, navigate to IAM dashboard and create a new policy. This time select JSON instead of visual editor.

json

2.2 Paste the below policy into the policy editor (delete all the pre-filled content)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

region_policy

2.3 Give the policy and name and create the policy.
region_policy

created

2.4 Attach the policy to an IAM user (or group) and test it.

Note: make sure that the test IAM user does not have any other permissions or policies attached to it.

If the policy was created correctly, any operation in a region other than eu-central-1 should result in an error.

error_region

Scenario 3 : Restrict access to a specific service in a particular AWS region

In scenario-3, we will be implementing a stricter version of scenario-2. Here, we restrict the access to 3 services within eu-central-1. User won't be able to access any other service or resource except these.

Let's begin!

3.1 You know the drill! Navigate to Policies, under the IAM dashboard and start creating the policy in json format.

3.2 Paste the below policy into the editor.

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:*",
                    "s3:*"
                ],
                "Resource": "*",
        "Condition": {"StringEquals": {"aws:RequestedRegion": "eu-central-1"}}
            }
        ]
}
Enter fullscreen mode Exit fullscreen mode

3.3 Give a name and save the policy.

3.4 Attach the policy to an IAM user or group and test the access.

3.4.1 Navigate to the EC2 dashboard in eu-central-1 region and try launching a new instance.

ec2_launched

Now attempt the same in any other AWS region. The launch wizard will not let you select the fields required to create an instance. Thus proving that our IAM policy works!

no_ec2

3.4.2 Change your region to any region other than eu-central-1

chnage_region

Now navigate to S3 and try viewing the buckets.

check_s3

Repeat the same in eu-central-1 region. You should be able to view the buckets this time!

s3

3.4.3 Navigate to any service other than S3 and EC2, say RDS.

You will receive an error, since we restricted the access only to S3 and EC2.

rds

Conclusion :

We have covered three scenarios in this blog. This is just tip of the iceberg! IAM Policies play an crucial role in any well architected and implemented cloud solution.

Let your imagination run wild and explore the power of IAM policies in your own account!!

Don't forget to clean up any resources that you may have spun up to test the policies! The IAM policy in itself is not chargeable, so you need not delete them.

I hope this blog has been helpful in igniting your interest in Cloud IAM! Do leave your feedback in the comment section.

Happy Learning!

Top comments (1)

Collapse
 
srini2024 profile image
Srinivasan

Nicely Explained Article