Controlling Access to AWS Services

  • Home
  • IAM
  • Identity and Access Management
Cloud Security User Responsibilities 8th Oct 2019

AWS Identity and Access Management

In using a public cloud provider it is imperative to understand the boundaries of responsibility between the provider and user and the shared responsibility model. AWS has no visibility of your assets such as user data, applications and operating systems on EC2 instances so security is the responsibility of the user.

Shared responsibility Model

IAM controls access to AWS services

  1. IAM policies can be attached to users, groups, roles and resources
  2. Policies can be managed by AWS or custom policies managed by you. Use managed policies whenever possible
  3. Managed policies cannot be applied to resources; only to users, groups and roles
  4. IAM policies are global in nature i.e. they are not limited to one region
  5. IAM Policy permissions can be defined to be very granular

Policy components

(Mnemomic - RACE)

Resource - the permissions related to a resource (an ARN) – need explicit permissions to access a resource

Action - what can be performed e.g. S3:ListBucket, dynamodb:Query

Conditions - example delete user whose tag has value "teminated" --- { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:DeleteUser", "Resource": "*", "Condition": {"StringLike": {"iam:ResourceTag/status": "terminated"}} }] }

Effect - two possible options Allow or Deny, default value is Deny

An example of a custom policy

IAM Custom Policy Example

How to Create an IAM Policy

  1. Use a policy managed by AWS
  2. Write a policy document in JSON
  3. Use the AWS Policy Generator – a visual policy creator tool - requires account login

Cross Account Policy Role

Roles are useful when need access granted to third parties or resources in a different account (cross account).

Create a role that allows one account to access an S3 bucket in a different account

A common scenario would be where you want to copy logs in an S3 bucket from one account to an S3 bucket in a different account to restrict access by originating parties for security and auditing purposes.

In account A create a bucket policy for account user to access bucket in account B

In account B create a bucket policy that allows access to bucket in account B from account A

Helpful Links

How to be a policy ninja video

IAM policy example for cross account role to access S3


CIS AWS Foundations Benchark whitepaper on AWS security