Getting Started with AWS (Part 11)

By /

If you would like to read the other parts in this article series please go to:

Introduction

We’ve been examining AWS Identity and Access Management (IAM), a web service that enables you to create and manage users and assign user permissions using policies for controlling access to your AWS cloud environment. In the previous two articles in this series we first looked at how policy documents are used to define the policies you can use to control access to the resources in your AWS environment, and then we examined how you can create a custom policy by copying an existing AWS managed policy and using it as a starting point or template. In this next article we’ll look at two other ways you can create custom policies so you can have more granular control over the resources in your AWS environment than the existing AWS managed policies allow by default.

Method 2: Policy Generator

As we mentioned in the previous article of this series, Policy Generator is a wizard-like tool that allows you to create a custom policy based on the services the policy will control access to and the actions that should be allowed by users or groups to which the policy is attached. You can launch Policy Generator by selecting the Create Policy button on the Policies page of the IAM console and then clicking the Select button indicated in Figure 1 below:

Image
Figure 1: Step 1 of creating a new policy using the Policy Generator option.

In this walkthrough we will use Policy Generator to create a new custom policy that allows users and groups of users targeted by this policy to access AWS billing information for any resources running in the Amazon Elastic Compute Cloud (EC2) web service in your AWS environment. To do this you will start by configuring the policy settings on the Edit Permissions wizard page shown here:

ImageFigure 2: Step 2 of creating a new policy using the Policy Generator option.

Since we want to enable the targeted users and groups to access AWS billing information, we will leave the Effect option set to Allow which is the default.

Clicking the AWS Service listbox control shows the range of different AWS services you can select for generating your custom policy:

Image
Figure 3: Step 3 of creating a new policy using the Policy Generator option.

Since we want our new policy to provide users with access to EC2 resources, we will select Amazon EC2 as the AWS service on the Edit Permissions page (see the figure below). Clicking the Actions list control then displays additional options to choose from for our policy:

Image
Figure 4: Step 4 of creating a new policy using the Policy Generator option.

Before we go any further here, let’s briefly talk about Amazon Resource Names (ARNs) since we need to specify this when we use Policy Generator to create a new policy.

An aside on Amazon Resource Names (ARNs)

Resources in the AWS cloud are typically identified in two ways: by a friendly name and by an Amazon Resource Name (ARN). While friendly names are user-defined, ARNs employ a standardized format that uniquely identifies the resource in the AWS cloud. A good example of this is IAM user accounts.

Back in Part 6 of this series we created a user account named Bob_Smith and made this account a member of a new group we created called Admins that granted its members full administrative privileges over resources in your AWS environment (except for special privileges like accessing your AWS billing information).

If we select the Users page in the IAM console and click on user Bob_Smith, we can open a page that displays the properties of this user as shown here:

Image
Figure 5: Details concerning the properties of IAM user Bob_Smith.

The above screenshot shows that this IAM user can be identified in two ways in your AWS environment:

  • By its friendly name of Bob_Smith
  • By its ARN which has the form arn:aws:iam:<numeric_string>:user/Bob_Smith

The general format for an IAM ARN is as follows:

arn:aws:service:region:account:resource

Here service identifies the AWS product (which in this example is iam), region is the region the resource resides (this is always left blank for IAM resources), account the string of numbers that represents your AWS account ID, and resource is a string that identifies the specific resource you are trying to access by name and path.

Now let’s return to our walkthrough using Policy Generator and finish creating our new policy.

Using Policy Generator (continued)

Since we want this policy to allow targeted users to have access to any and all resources relating to the Amazon EC2 cloud service, we’ll select All Actions Selected in the Actions list control as shown in the next figure:

Image
Figure 6: Step 5 of creating a new policy using the Policy Generator option.

Next, we’ll specify the wildcard character (“*”) in the Amazon Resource Name (ARN) text field as shown below. As you can see from the information at the bottom of the next screenshot, specifying the wildcard in this text field causes our new policy to apply to any resources that have the following ARN:

arn:aws:ec2:us-east-1:<numeric_string>:instance/*

As you can see from this ARN, the us-east-1 region is currently associated with the AWS account used for this walkthrough. In addition, the string instance/* indicates that the policy will apply to all instances (virtual machines) running in this region of EC2 that belong to the AWS account being used.

Image
Figure 7: Step 6 of creating a new policy using the Policy Generator option.

Clicking the Next Step button takes us to the Review Policy page where we can examine in detail the JSON that will be used to define our new policy:

Image
Figure 8: Step 7 of creating a new policy using the Policy Generator option.

Finally, clicking the Create Policy causes the new custom policy to be generated.

Method 3: Create Your Own Policy

The third method for creating a new custom policy is to use the Policy Editor. This is launched by clicking the Select button beside Create Your Own Policy as shown at the bottom this screenshot:

Image
Figure 9: Step 1 of creating a new policy using the Create Your Own Policy option.

The Review Policy page is the Policy Editor and here you can specify a friendly name and description for your policy and then either type or copy/paste into the Policy Document text field the JSON that will be used to define your new policy:

Image
Figure 10: Step 2 of creating a new policy using the Create Your Own Policy option.

Clearly to use the Policy Editor you need to have a good understanding of the JSON syntax which we briefly described in Part 9 of this series. Once you’ve typed or copied in the JSON for your policy you should be sure to click the Validate Policy button to check whether there are any syntax errors in your JSON. This should always be done before you try to click the Create Policy button, otherwise you may end up with a corrupt policy that when applied to users or groups may result in unintended results.

If you would like to read the other parts in this article series please go to:

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top