IT in Education

What is a Policy?

awsPolicies allow you to define in great detail, what Users, or more commonly Groups of users can do. This article describes some example policies that I've found useful.


Create the RequireMFAPolicy

Creating managed policies allow you to create reusable policies to assign to multiple groups.

  1. Go to Services > IAM.
  2. Select Policies in the left pane.
  3. Click the Create policy button.
  4. Select the JSON tab.
  5. Paste the following policy. Please replace AWS_ACCOUNT_NUMBER with your own AWS account number, there are 7 occurances.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllUsersToListAccounts", "Effect": "Allow", "Action": [ "iam:ListAccountAliases", "iam:GetAccountPasswordPolicy", "iam:ListUsers", "iam:GetAccountSummary" ], "Resource": [ "*" ] }, { "Sid": "AllowIndividualUserToSeeTheirAccountInformationAndCreateAccessKey", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:CreateLoginProfile", "iam:DeleteLoginProfile", "iam:GetAccountPasswordPolicy", "iam:GetLoginProfile", "iam:UpdateLoginProfile", "iam:CreateAccessKey", "iam:ListAccessKeys" ], "Resource": [ "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}" ] }, { "Sid": "AllowIndividualUserToListTheirMFA", "Effect": "Allow", "Action": [ "iam:ListVirtualMFADevices", "iam:ListMFADevices" ], "Resource": [ "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/*", "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}" ] }, { "Sid": "AllowIndividualUserToManageTheirMFA", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice" ], "Resource": [ "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/${aws:username}", "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}" ] }, { "Sid": "DenyEverythingExceptForBelowUnlessMFAd", "Effect": "Deny", "NotAction": [ "iam:ListVirtualMFADevices", "iam:ListMFADevices", "iam:ListUsers", "iam:ListAccountAliases", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:ChangePassword", "iam:CreateLoginProfile", "iam:DeleteLoginProfile", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetLoginProfile", "iam:UpdateLoginProfile" ], "Resource": "*", "Condition": { "Null": { "aws:MultiFactorAuthAge": "true" } } }, { "Sid": "DenyIamAccessToOtherAccountsUnlessMFAd", "Effect": "Deny", "Action": [ "iam:CreateVirtualMFADevice", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice", "iam:ChangePassword", "iam:CreateLoginProfile", "iam:DeleteLoginProfile", "iam:GetAccountPasswordPolicy", "iam:GetLoginProfile", "iam:UpdateLoginProfile", "iam:CreateAccessKey", "iam:ListAccessKeys" ], "NotResource": [ "arn:aws:iam::AWS_ACCOUNT_NUMBER:mfa/${aws:username}", "arn:aws:iam::AWS_ACCOUNT_NUMBER:user/${aws:username}" ], "Condition": { "Null": { "aws:MultiFactorAuthAge": "true" } } } ] }
  1. Click the Review policy button.
  2. Enter a Name for your policy (e.g. RequireMFAPolicy).
  3. Enter a Description (e.g. This policy will force all users to use MFA for most use cases).
  4. Click Create policy.

You now have a policy that can be applied to a users group.

Exclusive access to an S3 Bucket

Using the method above, you can create the following policy to give full access to a bucket called myschool-bucket.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullAccessToNamedBucket",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::myschool-bucket",
"arn:aws:s3:::myschool-bucket/*"
]
}
]
}


Thanks for visiting,
Steven