Scribd
Upload
19 views6 pages

AWS IAM Policies Overview and Review

The document outlines multiple AWS IAM policies with varying permissions for S3, EC2, IAM, and KMS actions. Key policies include full S3 access, specific bucket access, and permissions for CloudWatch logs and IAM self-management. The final audit policy suggests allowing access to company data and logs while enabling KMS actions, but raises concerns about security and the need for potential improvements before production approval.

Uploaded by

d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
19 views6 pages

AWS IAM Policies Overview and Review

The document outlines multiple AWS IAM policies with varying permissions for S3, EC2, IAM, and KMS actions. Key policies include full S3 access, specific bucket access, and permissions for CloudWatch logs and IAM self-management. The final audit policy suggests allowing access to company data and logs while enabling KMS actions, but raises concerns about security and the need for potential improvements before production approval.

Uploaded by

d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Policy 1:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdminAccessToS3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}

Policy 2:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadLogs",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s[Link]log-bucket",
"arn:aws:s[Link]log-bucket/*"
]
}
]
}

Policy 3:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s[Link]ployment-bucket/*"
}
]
}

Policy 4:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MFAOnly",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}

Policy 5:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OopsTooMuchPower",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

Policy 6:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s[Link]public-assets/*"
}
]
}

Policy 7:

\
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndReadSpecificBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:GetObject"],
"Resource": [
"arn:aws:s[Link]team-data",
"arn:aws:s[Link]team-data/*"
]
}
]
}

Policy 8:

\
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InlinePolicyDeveloper",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}

Policy 9:

\
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3FullAccessToLogs",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s[Link]log-bucket",
"arn:aws:s[Link]log-bucket/*"
]
}
]
}
Policy 10:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllIAMActions",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}

Policy 11:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeInstances",
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}

Policy 12:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3WithoutCondition",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s[Link]onfidential-reports/*"
}
]
}

Policy 13:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMSDecryptOnly",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:111122223333:key/abcd1234-5678-efgh-
9012-ijklmnopqrst"
}
]
}

Policy 14:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222233334444:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s[Link]shared-bucket/*"
}
]
}

Capstone Policy: Final Audit – Can You Make It Better?

Instructions for Students:

You are the security engineer. Would you approve this for production? If not, fix it.

Policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s[Link]ompany-data",
"arn:aws:s[Link]ompany-data/*"
]
},
{
"Sid": "AllowCloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "IAMSelfManagement",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "*"
},
{
"Sid": "OptionalKMSAccess",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": "*"
}
]
}

You might also like