Is there a way to design a Lambda execution role policy to restrict access by using Lambda alias name. For example, I want to have an alias "Prod" and only executions of function with that alias would have permissions to write to a particular bucket.
I tried using the new lambda:SourceFunctionArn condition, but it does not seem to include the alias, or I am not using it correctly. In the example below I am trying to achieve ability of all variants of my function to write into my-bucket-test, but only Prod alias to be able to write to my-bucket-data. Is there a way to achieve this?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambda_*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket-test/*"
]
},
{
"Sid": "S3Prod",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket-data/*",
"Condition": {
"StringLike": {
"lambda:SourceFunctionArn": "*Prod"
}
}
}
]
}
Thanks,
Alex
Related
I'm trying to figure out how to restrict users to only be able to launch instances using a specific launch template. Here is my current policy so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:InstanceType": "t2.micro"
},
"ArnEquals": {
"ec2:LaunchTemplate": ""
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeAddresses",
"ec2:GetEbsEncryptionByDefault",
"ec2:DescribeVolumesModifications",
"ec2:DescribeSnapshots",
"kms:DescribeCustomKeyStores",
"ec2:DescribeInstanceTypeOfferings",
"ec2:StartInstances",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:AssignPrivateIpAddresses",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateVolume",
"ec2:DescribeImages",
"kms:ListKeys",
"ec2:CreateSnapshots",
"ec2:DescribeVpcs",
"kms:ListAliases",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
I am trying to use the condition "ArnEquals": {"ec2:LaunchTemplate": "" but I don't believe launch templates have an ARN. I tried using the launch template ID but that did not work. Any help would be appreciated!
I am trying to give lambda execution access to select members within a group. Users are authenticated via PingFederate. I am having issue granting this selective access to federated user.
I have a custom IAM policy (allow-lambda-invocation-selective) attached to this role. Although the policy seems to pass validation and policy simulation shows access is allowed, when I try to execute the lambda function I get message
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
Here is my policy: allow-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
Am i missing something?
I'm trying to understand your problem. Correct me if I made a wrong supposition.
Every group/user already have its own role.
When you authenticate your users, they have their assumed role. myuser1234, when authenticated, will receive arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 role, right? Is it possible to create one role for each group and remove the conditions property (check item 2 explaining why)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
The problem with aws:userid
Reading the docs about the key aws:userid we can find this key has the value given by role id:caller-specified-role-name,
where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRole request.
So aws:userid has value like AIDAJQABLZS4A3QDU576Q:SomeNameYouGive. Because this, your condition never match arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 and then user cannot assume that actions.
Using conditions another way
Assuming RoleSessionName is the user name, you can use conditions this way:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
if you prefer, you may remove * wildcard getting role id using AWS CLI with the command:
aws iam get-role --role-name ROLE_NAME
and changing condition as follows:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}
I am trying to create an IAM Policy in Amazon AWS which will allow access to view or edit/modify a single security group. I have followed the AWS documentation, but am unsuccessfully able to make this policy work. The policy created is below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456789123",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:000000000000:security-group/sg-a123a1a1"
]
}
]
}
Yes, I do realize that I have a redundant action, but I noticed you are able to specify Describe Security Group, but no option for Modify; therefore "*" was my only option; Thankfully, the resource should allow me to restrict this action to a single security group.
It is partly possible, please see https://serverfault.com/questions/575487/use-iam-to-allow-user-to-edit-aws-ec2-security-groups, it's actually possible to constrain editing to just one group, but I didn't get listing of just one group to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1413232782000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1413232782001",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:us-east-1:<accountid>:security-group/sg-<id>"
]
}
]
}
Here is what I managed to put together and it works great!
Create the following policy and add it to a User Group or make one:
Update the items that are in {BRACKETS}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "arn:aws:{REGION}:{ACCOUNT_NUMBER}:security-group/{NSG-ID}",
"Condition": {
"ArnEquals": {
"ec2:Vpc": "arn:aws:ec2:{REGION}:{ACCOUNT_NUMBER}:vpc/{VPC-ID}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
}
]
}
Well, it looks like the code formatter is not working right with this, but you can read the references here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_securitygroups-vpc.html
Thanks!
You can add new rule to security group like
aws ec2 authorize-security-group-ingress --group-name MySecurityGroup --protocol tcp --port 3389 --cidr 203.0.113.0/24
And also change the tags as well.
I am trying to create an IAM policy that gives a user full admin rights to all EC2 and RDS resources tagged with sf_env:dev.
I can't seem to figure out the syntax.
The AWS policy simulator displayed
Parse error on line 10: ..._env":"dev"}}}]}{"Statement": [{"A -------------------^ Expecting 'EOF', '}', ',', ']', got '{'
{
"Version": "2012-10-17",
"Statement": [{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
{
"Statement": [{
"Action": "rds:"*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
Thanks. I used the AWS policy simulator which also checks your syntax automatically. I used this article to find out what I did wrong. http://blogs.aws.amazon.com/security/post/Tx1LYOT2FQML4UG/-Back-to-School-Understanding-the-IAM-span-class-matches-Policy-span-Grammar. I had multiple policy statements in one statement block which was an issue. I made one policy block with a single statement of arrays.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
},
{
"Effect": "Allow",
"Action": [
"rds:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
}
]
}
I am new to IAM in AWS. I have created a policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:109027:instance/*",
"arn:aws:ec2:us-east-1:10927:image/*",
"arn:aws:ec2:us-east-1:109027:security-group/Test_hin",
"arn:aws:ec2:us-east-1:109027:subnet/subnet-b",
"arn:aws:ec2:us-east-1:109527:key-pair/*",
"arn:aws:ec2:us-east-1:10903527:network-interface/vpc-e4",
"arn:aws:ec2:us-east-1:107:volume/*"
]
}
]
}
whenever I am trying to launch an instance using console, It gives me an error that i am not authorized to perform this action.
Thanks
Try with the key pair and the network interface resources (Looks like you are trying to launch into a VPC). Also, allow the volume resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:acct:instance/*",
"arn:aws:ec2:us-east-1:acct:image/*",
"arn:aws:ec2:us-east-1:acct:security-group/*",
"arn:aws:ec2:us-east-1:acct:subnet/*",
"arn:aws:ec2:us-east-1:acct:key-pair/*",
"arn:aws:ec2:us-east-1:acct:network-interface/*",
"arn:aws:ec2:us-east-1:acct:volume/*"
]
}
]
}