Manage IAM User Policies
Topics
- Create an IAM User Policy
- Attach a Policy to an IAM User
- List the Attached IAM User Policies
- Examples of IAM Policies
- Example of a Bucket Policy
The creation of IAM user policies is outside the scope of this guide. IAM user policies should be designed to suit your specific organisation's needs.
To help you get started, here links to some examples and reference information.
- Examples of IAM Policies
- Example of a Bucket Policy
- AWS Bucket Policies and User Policies Documentation - Bucket policies and user policies - Amazon Simple Storage Service
- AWS Security Blog: Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket - Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog
- Veeam Knowledge Base KB3151: How to Create Secure IAM Policy for Connection to S3 Object Storage - KB3151: How to Create Secure IAM Policy for Connection to S3 Object Storage (veeam.com)
Attach a Policy to an IAM User
Once you have created an IAM Policy, you need to attach it to your IAM User.
Follow these steps:
1. Use this command to attach the policy:
‘aws --endpoint-url https://iam.vault.net.nz iam put-user-policy --user-name example-user --policy-name example-policy --policy-document file://example.json’
Note: In this example, the example.json file was in my working directory.
2. List out the applied IAM Policies to verify.
List the Attached IAM Policies
To list the currently applied policies on an IAM User, use this command:
‘aws --endpoint-url https://iam.vault.net.nz list-user-policies --user-name example-user’
The examples of JSON listed below can be modified to create IAM policies to restrict user permissions, and secure your Vault v2 account.
Important: The policies listed below are examples only. They should be modified before they are applied to your Vault v2 IAM Users.
Examples:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:HeadObject",
"s3:ListBucket",
"s3:AbortMultipartUpload",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:PutReplicationConfiguration",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:HeadObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:s3:::*/*"
]
}
]
}
All Actions for a Single Bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::*/*"
]
}
]
}
An example of the JSON for a bucket policy is set out below. Please contact CCL for Internet-facing IP addresses which can be used to block access to your Vault V2 buckets from internet-facing endpoints.
Important: The policies listed below are examples only. They should be modified before they are applied to your Vault v2 buckets.
Block Internet Access for All Buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Action": "s3:*",
"Effect": "Deny",
"Principal": "*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.xxx.xxx.7/32",
"10.xxx.xxx.7/32"
]
}
}
}
]
}