DEV Community: Cezary Czekalski The latest articles on DEV Community by Cezary Czekalski (@cezaryczekalskisonalake). https://dev.to/cezaryczekalskisonalake https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F700879%2F72c805a0-2327-43e1-b8d3-25ee005e2fa6.jpeg DEV Community: Cezary Czekalski https://dev.to/cezaryczekalskisonalake en Identity vs Resource-based AWS IAM Policies Cezary Czekalski Tue, 07 Sep 2021 09:47:26 +0000 https://dev.to/sonalake/identity-vs-resource-based-aws-iam-policies-3e85 https://dev.to/sonalake/identity-vs-resource-based-aws-iam-policies-3e85 <p>Identity and Access Management (IAM) is a global AWS service dedicated to managing access to AWS services and resources. It’s a cornerstone of AWS, but it’s also very powerful and there are many ways to achieve the same goal. In this post, I’m going to look at two approaches to securing access to AWS resources. Let’s first start by looking at some fundamental IAM concepts.</p> <h2> Key IAM Concepts </h2> <p>An IAM <em>user</em> is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. Users can be given access to the AWS console or to AWS APIs. Given the appropriate <em>permissions</em>, users can invoke actions on AWS infrastructure resources. Users can also be assigned to <em>groups</em> – a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM users can be assigned to many different groups (one user can be assigned to many groups, but a group itself cannot be assigned to another group).</p> <p>IAM <em>permissions</em> are assigned via <em>policies</em>. There is a principle which states that what is not explicitly allowed is denied by default and it’s a good idea to prevent accidentally being over-privileged.</p> <p>An IAM <em>role</em> is an IAM identity that has specific permissions. It is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.</p> <p>A <em>policy</em> is a set of permissions written in JSON format. There are six types of policies, but this post will focus on two of them; identity-based policies, and resource-based policies.</p> <h2> Identity-based Policies </h2> <p>Identity-based policies grant permissions to an identity. An identity-based policy dictates whether an identity to which this policy is attached is allowed to make API calls to particular AWS resources or not. For example, the following policy would allow a user to invoke any Get or List request on any S3 resource.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:Get*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:List*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The key elements of the policy definition are:</p> <ul> <li> Effect – whether to allow or deny the action(s)</li> <li> Action – the API(s) the policy applied to requests on resources (‘*’ means wildcard)</li> <li> Resource – identifier of the resource(s) to which the policy applies. Resources are identified by an Amazon Resource Name (ARN), or by wildcard.</li> </ul> <h2> Resource-based Policies </h2> <p>Resource-based policies grant permissions to the principal that is specified in the policy. They specify who or what can invoke an API from a resource to which the policy is attached.</p> <p>For example, the policy below specifies that S3 events on the bucket <code>arn:aws:s3:::test-bucket-cezary</code> can be handled by the Lambda (lambda-s3) in account id 1234567890 in eu-west-1 region.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3-event-cezary_for_lambda-s3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lambda:InvokeFunction"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:lambda:eu-west-1:1234567890:function:lambda-s3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceAccount"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1234567890:"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ArnLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::test-bucket-cezary"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In this case, the principal is “a caller” who can invoke a particular action on the specific resource <code>arn:aws:s3:::test-bucket-cezary</code>.</p> <p>Now that we’ve covered these two policy types, let’s set up some demo policies and explore the types of issues that can result when mixing the two policy types and setting too restrictive or too permissive access.</p> <h2> Demo Environment </h2> <p>Assuming you have AWS account setup, create two IAM users:</p> <ul> <li> An “admin user” with the following policies attached <ul> <li> AdministratorAccess – This policy allows for almost unrestricted access to all services. This identity-based policy is available by default. It is created &amp; managed by AWS. It’s also one of the so-called AWS managed policies.</li> </ul> </li> <li> A “restricted user” with the following policies attached <ul> <li> IAMReadOnlyAccess – Read-only access to the IAM console</li> <li> ListAllMyBuckets (Permission) – list all S3 buckets (<span>but not their content</span>). You need to create an identity policy to set permission inside of it.</li> <li> AWSCloudShellFullAccess – Provides fully featured access to CloudShell in AWS Console</li> </ul> </li> </ul> <p>The policy for the <em>admin</em> user is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The policy for the <em>restricted user</em> is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:[</span><span class="w"> </span><span class="s2">"iam:GenerateCredentialReport"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:GenerateServiceLastAccessedDetails"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:Get*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:List*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:SimulateCustomPolicy"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:SimulatePrincipalPolicy"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="s2">"VisualEditor0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="s2">"s3:ListAllMyBuckets"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:[</span><span class="w"> </span><span class="s2">"cloudshell:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now let’s create a bucket via our admin user and test these two policies. You can do this via the command line, or if you don’t want to install the <a href="https://aws.amazon.com/cli/"><strong>AWS Command Line Interface (CLI)</strong></a>, via <a href="https://aws.amazon.com/cloudshell/"><strong>CloudShell</strong></a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">Create</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">api</span><span class="w"> </span><span class="err">create-bucket</span><span class="w"> </span><span class="err">--bucket</span><span class="w"> </span><span class="err">YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">--region</span><span class="w"> </span><span class="err">YOUR_CHOSEN_REGION</span><span class="w"> </span><span class="err">--create-bucket-configuration</span><span class="w"> </span><span class="err">LocationConstraint=YOUR_CHOSEN_REGION</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="p">{</span><span class="nl">"Location"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://YOUR_GLOBALLY_UNIQUE_NAME.s3.amazonaws.com/"</span><span class="p">}</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Prohibit</span><span class="w"> </span><span class="err">public</span><span class="w"> </span><span class="err">access</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">api</span><span class="w"> </span><span class="err">put-public-access-block</span><span class="w"> </span><span class="err">--bucket</span><span class="w"> </span><span class="err">YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">--public-access-block-configuration</span><span class="w"> </span><span class="s2">"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Put</span><span class="w"> </span><span class="err">one</span><span class="w"> </span><span class="err">object</span><span class="w"> </span><span class="err">into</span><span class="w"> </span><span class="err">a</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="err">(optional)</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">api</span><span class="w"> </span><span class="err">put-object</span><span class="w"> </span><span class="err">--bucket</span><span class="w"> </span><span class="err">YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">--key</span><span class="w"> </span><span class="err">YOUR_FILE</span><span class="w"> </span><span class="err">--body</span><span class="w"> </span><span class="err">YOUR_FILE</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">List</span><span class="w"> </span><span class="err">your</span><span class="w"> </span><span class="err">buckets</span><span class="w"> </span><span class="err">(optional)</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">api</span><span class="w"> </span><span class="err">list-buckets</span><span class="w"> </span><span class="err">#Response</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Buckets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_GLOBALLY_UNIQUE_NAME"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CreationDate"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2021-06-12T11:12:55+00:00"</span><span class="w"> </span><span class="p">},</span><span class="err">...</span><span class="w"> </span></code></pre> </div> <h2> Policies Problems and How to Avoid Them </h2> <p>Having created and configured the bucket check from either console or via an API call that this bucket policy (the resource-based policy) is empty.</p> <p><code>aws s3api get-bucket-policy --bucket YOUR_GLOBALLY_UNIQUE_NAME --query Policy --output text</code></p> <p>Ok, now we are ready to list the content of our bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">As</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">admin</span><span class="w"> </span><span class="err">user</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="w"> </span><span class="err">ls</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">://YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Response:</span><span class="w"> </span><span class="mi">2021-06-15</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">13</span><span class="err">:</span><span class="mi">33</span><span class="w"> </span><span class="mi">612870</span><span class="w"> </span><span class="err">mountains.jpg</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">As</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">restricted</span><span class="w"> </span><span class="err">user</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="w"> </span><span class="err">ls</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">://YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Response:</span><span class="w"> </span><span class="err">An</span><span class="w"> </span><span class="err">error</span><span class="w"> </span><span class="err">occurred</span><span class="w"> </span><span class="err">(AccessDenied)</span><span class="w"> </span><span class="err">when</span><span class="w"> </span><span class="err">calling</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">ListObjectsV</span><span class="mi">2</span><span class="w"> </span><span class="err">operation:</span><span class="w"> </span><span class="err">Access</span><span class="w"> </span><span class="err">Denied</span><span class="w"> </span></code></pre> </div> <p>As you can see, the restricted user does not have permission to list the objects in the bucket. To fix this you could use either Identity-based policies or resource-based policies (or both, but that would be redundant). Let’s go ahead and create a resource-based policy. To do this, we could use the console, but let’s use the <a href="https://awspolicygen.s3.amazonaws.com/policygen.html"><strong>AWS Policy Generator</strong></a> instead.</p> <p>Go to the AWS console and select the bucket you created earlier. Next go to permissions, choose bucket policy, and then edit and policy generator. After filling the template click Add Statement and then Generate policy.</p> <p>In this case I’ve chosen a bucket policy, because I know that I will add more users in the future.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--v9Oe8pxb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://sonalake.com/wp-content/uploads/2021/08/IAM-adding-statements.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--v9Oe8pxb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://sonalake.com/wp-content/uploads/2021/08/IAM-adding-statements.png" alt=""></a></p> <p>Copy and paste policy to bucket settings<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Policy1624125393305"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Stmt1624125391986"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_GLOBALLY_UNIQUE_NAME"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT_ID:user/read-only-console-user"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Sometimes you have to wait a bit for the policy to kick in. Now you should be able to list content of your bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="w"> </span><span class="err">ls</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">://YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">#Response:</span><span class="w"> </span><span class="mi">2021-06-15</span><span class="w"> </span><span class="mi">15</span><span class="err">:</span><span class="mi">13</span><span class="err">:</span><span class="mi">33</span><span class="w"> </span><span class="mi">612870</span><span class="w"> </span><span class="err">mountains.jpg</span><span class="w"> </span></code></pre> </div> <p>What will happen when we explicitly deny something? Remember that IAM is very strict. Explicit denial is a real, true, strict rejection and it doesn’t matter whether you allowed something earlier. When you say you want to block it, it’s blocked.</p> <p>The easiest way to check it is to add resource-based policy to our bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Policy1623531542448"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Stmt1623531541369"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_GLOBALLY_UNIQUE_NAME"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Let’s test it<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#IAM</span><span class="w"> </span><span class="err">Admin</span><span class="w"> </span><span class="err">bucket</span><span class="w"> </span><span class="err">perspective</span><span class="w"> </span><span class="err">aws</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="w"> </span><span class="err">ls</span><span class="w"> </span><span class="err">s</span><span class="mi">3</span><span class="err">://YOUR_GLOBALLY_UNIQUE_NAME</span><span class="w"> </span><span class="err">#Response:</span><span class="w"> </span><span class="err">An</span><span class="w"> </span><span class="err">error</span><span class="w"> </span><span class="err">occurred</span><span class="w"> </span><span class="err">(AccessDenied)</span><span class="w"> </span><span class="err">when</span><span class="w"> </span><span class="err">calling</span><span class="w"> </span><span class="err">the</span><span class="w"> </span><span class="err">ListObjectsV</span><span class="mi">2</span><span class="w"> </span><span class="err">operation:</span><span class="w"> </span><span class="err">Access</span><span class="w"> </span><span class="err">Denied</span><span class="w"> </span></code></pre> </div> <p>Remember, You can always simulate your calls in the IAM console like in this screenshot. It’s safer especially in production environments. This simulator takes into account already set identity-based, resource-based policies. That’s why I used an already created bucket and not a fake one.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--v-2HOhdc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://sonalake.com/wp-content/uploads/2021/08/IAM-policy-simulator.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--v-2HOhdc--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://sonalake.com/wp-content/uploads/2021/08/IAM-policy-simulator.png" alt=""></a></p> <p>Yet I think that testing it manually is much more fun even though it’s much more dangerous. Don’t you think?</p> <p>If you wonder, You can brick your access to the bucket even for IAM Admin by attaching this policy.</p> <p>WARNING: Don’t try this at home!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Policy1623526933543"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Stmt1623526931104"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::YOUR_GLOBALLY_UNIQUE_NAME"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then you would need to switch to the root account and remove this policy.</p> <h2> Final words </h2> <p>Policies can be quite tricky but they are also very powerful. I hope this post served as a useful introduction to some of the concepts. For more information be sure to check out the <a href="https://docs.aws.amazon.com/iam/index.html"><strong>AWS Identity and Access Management documentation</strong></a>. It’s really good and It has helped me a lot many times. Have fun!</p> aws devops