Create IAM Policy
Create IAM Policy
In the previous section, the policies will be divided into 5 different functions, if you want, you can optionally edit and combine them to suit the practical requirements you are aiming for or want. apply.
In addition, in this exercise, the following AWS Regions will be used by default to further strengthen the limit for Resource Tags.
- us-east-1 (Northern Virginia)
- us-west-1 (Northern California)
Steps to create IAM Policy
- Login to AWS Management Console and access IAM Management Console.
- In the left hand navigation bar, select Policies and click the Create policy button.
-
In the new creation screen, we select JSON and fill in our policy specification.
- In this example, we use ec2-list-read policy
- Select Next: Tags.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2listread",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:Get*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
- Leave the default configuration. Select Next: Review to conduct the test.
-
Fill in the name along with a specific description.
- Name:
ec2-list-read - Description:
ec2-list-read - Proceed to create by clicking Create Policy.
- Name:
- Create Policy successfully.
Policy - ec2-create-tags
- In the left hand navigation bar, select Policies and click the Create policy button.
- In the new creation screen, we select JSON and fill in our policy specification. In this example, we use the ec2-create-tags policy.
- Select Next: Tags.
- Leave the default configuration. Select Next: Review to conduct the test.
- Information:
- Name:
ec2-create-tags - Description:
ec2-create-tags - Description: This policy will allow the creation of tokens for EC2 services, with the condition that when we proceed to create an EC2 instance.
- Proceed to create by clicking Create Policy.
- Name:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2createtags",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
}
]
}
- Create Policy successfully.
Policy - ec2-create-tags-existing
Information:
- Name: ec2-create-tags-existing
- Description: ec2-create-tags-existing
- Description: This policy allows users to assign tags to EC2 service resources when all three conditions are met:
- The tag assigned on an EC2 resource is a value pair “Key=Team,Value=Alpha”
- The EC2 resource’s assigned key tag includes Team and Name
- The tag required to be assigned must be a pair of values **“Key=Team,Value=Alpha”**
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2createtagsexisting",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Team": "Alpha"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Team",
"Name"
]
},
"StringEqualsIfExists": {
"aws:RequestTag/Team": "Alpha"
}
}
}
]
}
Policy - ec2-run-instances
Information:
- Name: ec2-run-instances
- Description: ec2-run-instances
- Description: This policy will be divided into 2 parts:
- First part: Allows creation of EC2 instances if and only if the conditions for AWS Regions and Resource Tags are satisfied.
- The rest: Allows creation of related resources at the time we proceed to create EC2 instance, with conditions on AWS Regions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2runinstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
],
"aws:RequestTag/Team": "Alpha"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Name",
"Team"
]
}
}
},
{
"Sid": "ec2runinstancesother",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
Policy - ec2-manage-instances
Information:
- Name: ec2-manage-instances
- Description: ec2-manage-instances
- Description: This policy allows to perform basic operations (reboot, terminate, start, stop) for EC2 instances, provided that AWS Regions and Resource Tags are met.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ec2manageinstances",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Team": "Alpha",
"aws:RequestedRegion": [
"us-east-1",
"us-west-1"
]
}
}
}
]
}
Once done, you will have 5 EC2 policies as shown below:
