Bootstrap FreeKB - Amazon Web Services (AWS) - Understanding Policies
Amazon Web Services (AWS) - Understanding Policies
Updated:   |  Amazon Web Services (AWS) articles

A policy is kind of like a firewall, in that it is a control that is used to allow or deny users to perform certain actions. For example, a policy could be used to.

  • Allow users to create an S3 Bucket
  • Deny users from being able to modify a load balancer

Policy are defined in JSON. For example, here is the JSON that would be used to allow users to mount an Elastic File System (EFS) and to add files to the Elastic File System.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ],
            "Resource": "arn:aws:elasticfilesystem:us-east-1:123456789012:file-system/fs-0d1500aa4f4b50839",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

 

The aws iam attach-user-policy command can be used to attach a policy to a users account.

aws iam attach-user-policy --user-name john.doe --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

 

The Terraform aws_iam_policy_document data module can be used to set a policy that will be used by some other Terraform module. For example, the aws_iam_policy_document and aws_efs_file_system_policy modules could be used to attach a policy to an Elastic File System (EFS).

resource "aws_efs_file_system" "my-efs" {
  creation_token = "my-efs"
  encrypted      = true

  tags = {
    Name = "my-efs"
    Role = "AWS EFS File Storage"
  }
}

data "aws_iam_policy_document" "efs_policy" {
  statement {
    actions = [
      "elasticfilesystem:ClientMount",
      "elasticfilesystem:ClientWrite",
    ]
    effect = "Allow"
    principals {
      type = "AWS"
      identifiers = ["*"]
    }
    resources = [aws_efs_file_system.my-efs.arn]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["true"]
    }
  }
}

resource "aws_efs_file_system_policy" "policy" {
  file_system_id = aws_efs_file_system.my-efs.id
  policy         = data.aws_iam_policy_document.efs_policy.json
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter bec2ff in the box below so that we can be sure you are a human.