Policies in AWS (2) AWS image 1

Policies in AWS (2)

Yesterday I published a blog about AWS policies. We used the IAM wizard to create a policy. When you try to use this policy with the users we created, you will get errors like these when you go to ECS, and try to create (for example) an ECS-cluster:

Policies in AWS (2) IAM cloudwatch
Policies in AWS (2) IAM 35

This is not as strange as it might seem: ECS uses other AWS services to do its task. But fortunately, there is a default AWS policy to grant all permissions for ECS.

Go to IAM, Policies and search for ECS. We need an ECS role where we have all ECS permissions, so click on AmazonECS_FullAccess.

Policies in AWS (2) IAM policy ECS Full Access

When you click on JSON, you see a very long list of permissions that are required for using ECS:

Policies in AWS (2) IAM policy ECS Full Access json

Now, copy the whole JSON and put it in a text editor. When you look to this JSON, you see that there are no restrictions on region. The policy is divided in several parts: the first one doesn’t have any restriction at all about the resource. This means, that you allow people to create security groups, but also delete existing VPC’s (virtual networks). For me, this isn’t a problem, because I will deny access to regions where I have other VPC’s. In fact, in my workshop I will use a region where nothing is defined yet.

Policies in AWS (2) IAM first part 1

(please mind, that the brackets and the dots […] are put there by me, it’s not part of the policy itself)

In other parts of this policies, there are restrictions, f.e. in the names of the resources:

Policies in AWS (2) IAM policy ECS Full Access json with restr

For our goal, we need to add the region restriction to all these parts. There is one catch, though: some AWS services are global, for example IAM and Route53. You cannot restrict the region here; you will have to split up the first block in services that are global and services that are region dependent. The full policy can be found in the appendix of this blog and in my github repository as well [1].

Now we have the changed policy, go to IAM > Policies and search for ECS. Then click on ECSWorkshop:

Policies in AWS (2) IAM open ECSWorkshop

Click on the Edit policy button, and then on JSON:

Policies in AWS (2) IAM Edit policy
Policies in AWS (2) IAM Edit policy JSON 1

Now, copy and paste the text that you have in your text editor to this window and click on the Review policy button:

Policies in AWS (2) IAM paste 2

Click on the Save changes button to save this policy:

Policies in AWS (2) iam save changes 1

Other changes

When you have this policy, it’s time to test. Go to all the services that are in the list and try to create resources. Is it possible to use resources that are well beyond the scope of the workshop? In my case, I tried to launch an i3en.metal virtual machine using EC2 – which was possible. I think the users of my workshop don’t need such an expensive type of virtual machines, I therefore limited the types that can be used (see f.e. this site [2] for inspiration) to only the default that the EC2 wizard will show, m5a.large.

When I tried to add that part to my policy, the policy became too long (> 6144 characters). I therefore had to use two policies: one for the ECSWorkshop (see above), another one called “EC2LimitToM5ALarge”: this will limit the creation of EC2 instances and autoscaling instances to m2a.large (which is the smallest type that can be choosed in the ECS wizard). You can connect multiple policies to one group, deny will take precedence above allow. Go to IAM > Groups, edit the ECSWorkshop group, and click on the button “Attach Policy”:

Policies in AWS (2) iam attach policy

Both polities are at the end of this blog and in my github repository.

Conclusion

Once you know where to look, creating a new policy, group and new users isn’t that hard in AWS. It can be hard to find back your own policy in the list of both AWS policies and your own policies. Try to use a strict naming convention and document the policies you add to your environment.

Curious what I will tell during the workshop? I wrote another AMIS blog about that [3].

Footnotes

[1] https://technology.amis.nl/2020/03/07/creating-policys-groups-and-users-in-aws/

[2] https://github.com/FrederiqueRetsema/AMIS-Blog-AWS

[3] https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy

Appendix: ECSWorkshop policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "route53:GetHostedZone",
                "route53:ListHostedZonesByName",
                "route53:CreateHostedZone",
                "route53:DeleteHostedZone",
                "route53:GetHealthCheck"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "appmesh:ListMeshes",
                "appmesh:ListVirtualNodes",
                "appmesh:DescribeVirtualNode",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:Describe*",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStack*",
                "cloudformation:UpdateStack",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:PutMetricAlarm",
                "codedeploy:CreateApplication",
                "codedeploy:CreateDeployment",
                "codedeploy:CreateDeploymentGroup",
                "codedeploy:GetApplication",
                "codedeploy:GetDeployment",
                "codedeploy:GetDeploymentGroup",
                "codedeploy:ListApplications",
                "codedeploy:ListDeploymentGroups",
                "codedeploy:ListDeployments",
                "codedeploy:StopDeployment",
                "codedeploy:GetDeploymentTarget",
                "codedeploy:ListDeploymentTargets",
                "codedeploy:GetDeploymentConfig",
                "codedeploy:GetApplicationRevision",
                "codedeploy:RegisterApplicationRevision",
                "codedeploy:BatchGetApplicationRevisions",
                "codedeploy:BatchGetDeploymentGroups",
                "codedeploy:BatchGetDeployments",
                "codedeploy:BatchGetApplications",
                "codedeploy:ListApplicationRevisions",
                "codedeploy:ListDeploymentConfigs",
                "codedeploy:ContinueDeployment",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CancelSpotFleetRequests",
                "ec2:CreateInternetGateway",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:Describe*",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:RunInstances",
                "ec2:RequestSpotFleet",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "ecs:*",
                "events:DescribeRule",
                "events:DeleteRule",
                "events:ListRuleNamesByTarget",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "logs:CreateLogGroup",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents",
                "servicediscovery:CreatePrivateDnsNamespace",
                "servicediscovery:CreateService",
                "servicediscovery:GetNamespace",
                "servicediscovery:GetOperation",
                "servicediscovery:GetService",
                "servicediscovery:ListNamespaces",
                "servicediscovery:ListServices",
                "servicediscovery:UpdateService",
                "servicediscovery:DeleteService"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteInternetGateway",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*"
                },
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "ecs-tasks.amazonaws.com"
                },
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:role/ecsInstanceRole*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn"
                    ]
                },
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:role/ecsAutoscaleRole*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "application-autoscaling.amazonaws.com",
                        "application-autoscaling.amazonaws.com.cn"
                    ]
                },
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": [
                        "ecs.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "ecs.application-autoscaling.amazonaws.com",
                        "autoscaling.amazonaws.com"
                    ]
                },
                "StringEquals": {
                    "aws:RequestedRegion": "eu-central-1"
                }
            }
        }
    ]
}

Appendix: EC2LimitToM5ALarge policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "ForAnyValue:StringNotEquals": {
                    "ec2:InstanceType": [
                        "m5a.large"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "ForAnyValue:StringNotEquals": {
                    "autoscaling:InstanceType": [
                        "m5a.large"
                    ]
                }
            }
        }
    ]
}