Friday, 26 May 2023

IAM in AWS

Amazon Web Services – Denying Access using IAM policy for EC2 and EBS Instance


In this article, we will look into how to use AWS identity and access management policy conditions to create an IAM policy that denies access to create amazon elastic compute cloud instances and amazon elastic block store volumes when the required tags are not passed along with the creation request.

We will also look into how you can use the IAM policy tags to restrict the launch of EC2 instances by using Deny with the StringNotLike condition operator. 

If your policy operates under multiple conditions or has multiple keys attached to a single condition operator then all the conditions are evaluated by making the use of the AND logic. In the case of Deny multiple tags, each tag key needs to be used in a separate statement to get the same AND logic.  We’ll demonstrate the below use case. For launching any new instance from the EC2 console you need to have all four tags present to successfully launch it.

  • The cost_center tag must have a null value.
  • The EC2 instance has a tag key named production.
  • The identifier tag must be a combination of any five characters.
  • The value must be one among sandboxdev, or prod.

Now log into the AWS management console and navigate to the IAM console. In the IAM navigation page under policies choose to Create policy.

Now choose JSON view and then copy and paste the policy mentioned below: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToDescribeAll",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowRunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*::image/*",
                "arn:aws:ec2:*::snapshot/*",
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:key-pair/*"
            ]
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions1",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/cost_center": "?*"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions2",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "ForAllValues:StringNotLike": {
                    "aws:TagKeys": "Production"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions3",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/identifier": "?????"
                }
            }
        },
        {
            "Sid": "AllowRunInstancesWithRestrictions4",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:RequestTag/env": [
                        "sandbox",
                        "dev",
                        "prod"
                    ]
                }
            }
        },
        {
            "Sid": "AllowRunInstances1",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:instance/*"
            ]
        },
        {
            "Sid": "AllowCreateTagsOnRunInstance",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

All four request tags must be present for the EC2 instance to launch successfully.

The first request stack contains a tag key cost_center and a tag value with a question mark followed by a wildcard. This value enforces that at least one character is present in the value field so that if two instances can’t launch with an empty tag.

The AWS stack keys have a value production. The AWS stack keys value enforces checks on case sensitivity of production.

The third request stack contains a tag key identifier and a tag value with 5 question mark. This value enforces that the combination of any 5 characters can be used leading or trailing spaces are ignored.

The fourth aws request stack contains tag key as env and tag value as sandboxdev or prod.

Then next choose review and enter a name for your policy and then choose the Create policy option.

Now go to the Users tab in the left navigation pane and choose users. We already have a user named user1. For this choose the Add permissions option and then choose the Attach existing policies directly tab. Then choose the check box next to your policy and then choose the Next review option. 

And then choose the Add permissions.

Now let’s demonstrate the policy valuation by logging in with my user user1 now navigate to the EC2 console. Now let’s add the missing tag by choosing back to the review screen. Now scroll down and choose the Edit tags option and choose Add another tag. Then provide tag key as env and provide one value among sandbox, dev or prod.

Here we’ll provide prod and choose the Next configure security group option. Finally, select the existing security group.

At this stage, we can now launch the instance, and we’ll see the message your instances are now launching. Choose View instances option to see the launched instance.

 

No comments:

Post a Comment