Amazon Iam Management

pages of central documentation for iam http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html

and a good link for the anr resource http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

identify region http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region

IAM adavanced usage

Advanced IAM usage

Access keys

For the root account AWS will remove the ability to retrieve existing secret access keys on April 21, 2014.
You must have only two key in the same moment (active or inactive), to create the third access keys you must delete one of the two keys even if one of them is disabled.
Nice guide Where's my secret access key? http://blogs.aws.amazon.com/security/post/Tx1R9KDN9ISZ0HF/Where-s-my-secret-access-key

Account to view bills and other similar thing

described here
http://docs.aws.amazon.com/awsaccountbilling/latest/about/ControllingAccessWebsite.html

S3 configuration

To permit to some users to create bucket and administrate them BUT without create problems to the fragile backup bucket of the company . I have done the following.

allow_create_modify_all_except_deny , permit every kind of operations create/modify to all bucket except the deny buckets
AmazonS3ReadOnlyAccess-bucket-201311271507 , permit the access at the web console
deny_access_important_bucket , deny every kind of actions to the fragile bucket

Amazon code used

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1385566273000",
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::backups1",
        "arn:aws:s3:::backups2"
      ]
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1385565434000",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Access to only one bucket

this custom permission are to permit to an user to access to a single bucket

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

Console access and RDS configuration

Manage Access to Amazon RDS Resources: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html#CreatingIAMPolicies-RDS.RDSConsole

"When users work with the Amazon RDS console, you must grant them permissions not only to perform the specific actions that you want to allow, but also permissions to actions that the console itself needs. For example, simply to list resources, the console runs the API actions such as DescribeSecurityGroups and DescribeSubnets. Users working in the console must have these permissions; if they don't, portions of the console that users need to work with might simply display a message that users don't have permissions for a task.

The following example policy statement shows permissions that users typically need in order to work in the Amazon RDS console. Notice that this includes RDS actions that start with the word "Describe," a number of EC2 and CloudWatch actions that likewise pertain to describing (listing) resources, and all SNS actions."

Here is the example policy:

{
    "Version":"2012-10-17",  
    "Statement":[{
    "Effect": "Allow",
    "Action": [
        "rds:Describe*",
        "rds:ListTagsForResource",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:DescribeAlarms",
        "sns:*"
            ],
   "Resource": "*"
   }]
}

Once this policy is applied in combination with the policy you provided in your initial case update, you will see the behavior you expected. The user will be able to enter the "modify", "create", and similar pages for other RDS instances, but the actions will be denied when they are submitted if they are not the allowed resource (ARN). I tested this policy in combination with the policy you supplied and was able to get the proper behavior. You then applied the policies to your account and were successful as well.

I used that policy in combination with this

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1389959057000",
      "Effect": "Allow",
      "Action": [
        "rds:*"
      ],
      "Resource": [
        "arn:aws:rds:eu-west-1:98765432198:db:mydbname"
      ]
    }
  ]
}

if it's applied appropriately they should not be able to create the instance.
it will let them go through the steps like they can
but at the launch phase it will be denied
Status Code: 403, AWS Service: … AWS Error Code: AccessDenied …

Access to a single bucket in read only way

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "        "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::ist-nagra",
                "arn:aws:s3:::ist-nagra/*"
            ]
        }
    ]
}

Read information only describe info

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeTags",
                "ec2:DescribeSnapshots"
            ],
            "Resource": "*"
        }
    ]
}

Policy based on tags

http://docs.aws.amazon.com/IAM/latest/UserGuide/ExampleIAMPolicies.html#iampolicy-example-ec2-tags-and-daterange

CLI COMMAND LINE

last command line available
reference here http://docs.aws.amazon.com/cli/latest/reference/iam/index.html

aws iam create-user --user-name mypersonalusername
aws iam add-user-to-group --user-name mypersonalusername --group-name mygroupname

List the certificate to find the correct arn

aws iam list-server-certificates --no-verify-ssl --profile myprofilename
Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License