Check Policy
Check policy
To ensure that the IAM policies will work properly, we will perform the tests corresponding to the following table in turn:
| Order |
Specification |
Section |
| 1 |
Access to AWS Region is not allowed |
5.2.1 |
| 2 |
Access to AWS Region allowed, EC2 service |
5.2.2 |
| 3 |
Use Resource Tag with a value that does not fit |
5.2.3 |
| 4 |
Edit Resource Tag to a value that does not fit the condition |
5.2.4 |
| 5 |
Performing EC2 instance management |
5.2.5 |
Let’s review the brief description of each IAM Policy:
- ec2-list-read: This policy will only allow read-only permissions for EC2 services in regions us-east-1 and us-west-1
- ec2-create-tags: This policy will allow the creation of tags for the EC2 service, with the condition that it is enforced when we proceed to create an EC2 instance
- ec2-create-tags-existing: This policy will allow the creation of tags for EC2 services, provided that if and only if the resources (existing or will be created) tagged as follows “Key=Team,Value=Alpha”
- ec2-run-instances: This policy allows creation of EC2 instances if and only if the conditions are about AWS Regions (us-east-1 & us-west-1) and Resource Tags (Key=Team,Value=Alpha) is satisfied. Next, this policy allows for the creation of related resources at the time we create the EC2 instance, with a condition about AWS Regions (us-east-1 & us-west-1) .
- ec2-manage-instances: This policy allows to perform basic operations (reboot, terminate, start, stop) for EC2 instances, provided that AWS Regions (us-east- 1 & us-west-1) and Resource Tags (Key=Team,Value=Alpha) must be satisfied.
Content:
- Role Switching
- Check Policy