Manage IAM User Policies

Topics


Create an IAM User Policy

The creation of IAM user policies is outside the scope of this guide. IAM user policies should be designed to suit your specific organisation's needs.

 

To help you get started, here links to some examples and reference information.

 

 


Attach a Policy to an IAM User

Once you have created an IAM Policy, you need to attach it to your IAM User.

 

Follow these steps:

 

1. Use this command to attach the policy:

‘aws --endpoint-url https://iam.vault.net.nz iam put-user-policy --user-name example-user --policy-name example-policy --policy-document file://example.json

 

Note: In this example, the example.json file was in my working directory.

 

2. List out the applied IAM Policies to verify.

 

 


List the Attached IAM Policies

To list the currently applied policies on an IAM User, use this command:

‘aws --endpoint-url https://iam.vault.net.nz list-user-policies --user-name example-user’

 

 


 

Examples of IAM Policies

The examples of JSON listed below can be modified to create IAM policies to restrict user permissions, and secure your Vault v2 account.

 

Important: The policies listed below are examples only. They should be modified before they are applied to your Vault v2 IAM Users.

 

Examples:

 

Write-Only for All Buckets:

 

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"s3:ListAllMyBuckets"

],

"Resource": "*"

},

{

"Sid": "VisualEditor1",

"Effect": "Allow",

"Action": [

"s3:HeadObject",

"s3:ListBucket",

"s3:AbortMultipartUpload",

"s3:PutBucketCORS",

"s3:PutBucketLogging",

"s3:PutBucketNotification",

"s3:PutBucketObjectLockConfiguration",

"s3:PutBucketRequestPayment",

"s3:PutBucketTagging",

"s3:PutBucketVersioning",

"s3:PutBucketWebsite",

"s3:PutEncryptionConfiguration",

"s3:PutLifecycleConfiguration",

"s3:PutObject",

"s3:PutObjectLegalHold",

"s3:PutObjectRetention",

"s3:PutObjectTagging",

"s3:PutObjectVersionTagging",

"s3:PutReplicationConfiguration",

"s3:RestoreObject"

],

"Resource": [

"arn:aws:s3:::*",

"arn:aws:s3:::*/*"

]

}

]

}

 

Read-Only for All Buckets:

 

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"s3:ListAllMyBuckets"

],

"Resource": "*"

},

{

"Sid": "VisualEditor1",

"Effect": "Allow",

"Action": [

"s3:HeadObject",

"s3:ListBucket",

"s3:GetBucketAcl",

"s3:GetBucketCORS",

"s3:GetBucketLocation",

"s3:GetBucketLogging",

"s3:GetBucketNotification",

"s3:GetBucketObjectLockConfiguration",

"s3:GetBucketPolicy",

"s3:GetBucketRequestPayment",

"s3:GetBucketTagging",

"s3:GetBucketVersioning",

"s3:GetBucketWebsite",

"s3:GetEncryptionConfiguration",

"s3:GetLifecycleConfiguration",

"s3:GetObject",

"s3:GetObjectAcl",

"s3:GetObjectLegalHold",

"s3:GetObjectRetention",

"s3:GetObjectTagging",

"s3:GetObjectTorrent",

"s3:GetObjectVersion",

"s3:GetObjectVersionAcl",

"s3:GetObjectVersionTagging",

"s3:GetReplicationConfiguration",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts"

],

"Resource": [

"arn:aws:s3:::*",

"arn:aws:s3:::*/*"

]

}

]

}

 

All Actions for a Single Bucket:

 

{

 

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"s3:ListAllMyBuckets"

],

"Resource": "*"

},

{

"Sid": "VisualEditor1",

"Effect": "Allow",

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::example-bucket",

"arn:aws:s3:::*/*"

]

}

]

}


Example of a Bucket Policy

An example of the JSON for a bucket policy is set out below. Please contact CCL for Internet-facing IP addresses which can be used to block access to your Vault V2 buckets from internet-facing endpoints.

 

Important: The policies listed below are examples only. They should be modified before they are applied to your Vault v2 buckets.

 

Block Internet Access for All Buckets:

 

{

 

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Action": "s3:*",

"Effect": "Deny",

"Principal": "*",

"Resource": "*",

"Condition": {

"IpAddress": {

"aws:SourceIp": [

"10.xxx.xxx.7/32",

"10.xxx.xxx.7/32"

]

}

}

}

]

}

 


 

 

 

 

 

 

The page cannot be found

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please make sure you spelled the page name correctly or use the search box.