1 00:00:00,150 --> 00:00:01,359 So let's do a deep dive 2 00:00:01,359 --> 00:00:04,240 into IAM roles and policies. 3 00:00:04,240 --> 00:00:09,240 This policy are attached my IAM role, MyFirstEC2Role 4 00:00:10,410 --> 00:00:13,350 and so there are different components into policies. 5 00:00:13,350 --> 00:00:17,500 As we can see, there is attached policy that can be managed. 6 00:00:17,500 --> 00:00:19,270 Or you can create your own. 7 00:00:19,270 --> 00:00:21,010 So if you go to the policy tab, 8 00:00:21,010 --> 00:00:23,700 we can see that all these policies are AWS managed, 9 00:00:23,700 --> 00:00:25,710 that means they will get updated over time, 10 00:00:25,710 --> 00:00:28,810 but you can also create your own policy. 11 00:00:28,810 --> 00:00:30,330 And when you create your own policy, 12 00:00:30,330 --> 00:00:31,710 you can choose a service, actions, 13 00:00:31,710 --> 00:00:34,120 resources and request conditions. 14 00:00:34,120 --> 00:00:36,150 You can also import managed policies and so on. 15 00:00:36,150 --> 00:00:39,950 So it is very much possible for your infrastructure 16 00:00:39,950 --> 00:00:43,730 and your organization to create your own set of policies. 17 00:00:43,730 --> 00:00:46,660 Now there is also another subtlety you can do, 18 00:00:46,660 --> 00:00:49,380 is that when you go to your EC2 roll, 19 00:00:49,380 --> 00:00:51,970 you can add an inline policy. 20 00:00:51,970 --> 00:00:54,280 Inline policy are basically policies that are going 21 00:00:54,280 --> 00:00:57,740 to be added inline, so that means on top of 22 00:00:57,740 --> 00:00:59,680 whatever you've already chosen, 23 00:00:59,680 --> 00:01:01,330 and it turns out that these policies 24 00:01:01,330 --> 00:01:04,780 are not possible to be added to other rolls. 25 00:01:04,780 --> 00:01:06,840 Okay, so this is like basically saying 26 00:01:06,840 --> 00:01:09,140 this policy is just for that roll. 27 00:01:09,140 --> 00:01:12,040 Overall, I don't really recommend using inline policies, 28 00:01:12,040 --> 00:01:14,930 it's always better to manage policies globally, 29 00:01:14,930 --> 00:01:16,779 just to get a better management view. 30 00:01:16,779 --> 00:01:18,900 So now how do we create these policies 31 00:01:18,900 --> 00:01:20,820 and how do we analyze them? 32 00:01:20,820 --> 00:01:25,080 Well let's look at the AmazonS3ReadOnlyAccess. 33 00:01:25,080 --> 00:01:28,240 It turns out, that it gives you a policy summary, 34 00:01:28,240 --> 00:01:29,840 which is a nice little table, 35 00:01:29,840 --> 00:01:32,150 or you can get a JSON document. 36 00:01:32,150 --> 00:01:33,820 So if you look at the policy summary, 37 00:01:33,820 --> 00:01:38,820 it says that on S3, you get full read and limited lists. 38 00:01:39,111 --> 00:01:42,010 Okay, let's have a look at the JSON. 39 00:01:42,010 --> 00:01:46,670 And it looks like, yes, we're allowed to perform actions, 40 00:01:46,670 --> 00:01:51,670 which is Get something or List something on Resource star. 41 00:01:52,120 --> 00:01:54,600 And basically that says that you are able, 42 00:01:54,600 --> 00:01:58,540 for any Amazon S3 resource, to perform API calls, 43 00:01:58,540 --> 00:02:02,310 that start with the name Get something or List something. 44 00:02:02,310 --> 00:02:03,560 So how does that work? 45 00:02:03,560 --> 00:02:05,410 Well let's type AWS S3 listbucket API 46 00:02:09,820 --> 00:02:14,410 and now we get basically a listbucket API right here. 47 00:02:14,410 --> 00:02:15,610 And so if we look at it, 48 00:02:15,610 --> 00:02:19,440 the name of the API is called ListBucket. 49 00:02:19,440 --> 00:02:22,760 And so this is why we have list star. 50 00:02:22,760 --> 00:02:25,560 But there's a bunch of list operations you can do 51 00:02:25,560 --> 00:02:27,990 on AWS, obviously. 52 00:02:27,990 --> 00:02:32,050 Same for Get, we can do Get object or Get bucket and so on. 53 00:02:32,050 --> 00:02:36,020 Now if we look at the AmazonS3FullAccess instead, 54 00:02:36,020 --> 00:02:37,960 well the JSON document this time, 55 00:02:37,960 --> 00:02:42,960 allows s3 star, so that means any API column s3 is allowed 56 00:02:43,350 --> 00:02:46,060 and resource star means anything you want. 57 00:02:46,060 --> 00:02:47,820 So the idea is that you are able, 58 00:02:47,820 --> 00:02:50,740 through this JSON document, so specify what you want. 59 00:02:50,740 --> 00:02:55,040 But how do we know exactly how to make this JSON document? 60 00:02:55,040 --> 00:02:58,680 Well let's give it a go and create our own policy. 61 00:02:58,680 --> 00:03:03,030 So policy I'll create and I'll say this is a policy 62 00:03:03,030 --> 00:03:04,950 that we'll all just practice on. 63 00:03:04,950 --> 00:03:06,860 So, we need to choose a service, and we can get 64 00:03:06,860 --> 00:03:09,870 a visual editor or a JSON editor. 65 00:03:09,870 --> 00:03:12,520 This is basically when you want to type it all out 66 00:03:12,520 --> 00:03:14,610 or copy and paste something from the web 67 00:03:14,610 --> 00:03:17,360 and this is where you want to just click 68 00:03:17,360 --> 00:03:18,970 and choose whatever happens. 69 00:03:18,970 --> 00:03:20,040 So let's choose a service. 70 00:03:20,040 --> 00:03:22,120 For example, we'll choose AmazonS3, 71 00:03:22,120 --> 00:03:24,020 because we've been working with it. 72 00:03:24,020 --> 00:03:26,830 And then here it gives me all the actions 73 00:03:26,830 --> 00:03:28,260 that are allowed in S3. 74 00:03:28,260 --> 00:03:29,750 So I can say all S3 actions, 75 00:03:29,750 --> 00:03:31,590 which is S3 star, we've seen this. 76 00:03:31,590 --> 00:03:35,127 Or we can say list, read, write, or permissions management. 77 00:03:35,127 --> 00:03:37,500 And if we draw down in something, 78 00:03:37,500 --> 00:03:39,660 we can see that within each read, 79 00:03:39,660 --> 00:03:41,810 we for example get all the different 80 00:03:41,810 --> 00:03:43,410 operations one can be allowed. 81 00:03:43,410 --> 00:03:46,317 So maybe we only allow, want to allow, GetObject 82 00:03:47,200 --> 00:03:49,620 and that's it, so I just knocked out this one. 83 00:03:49,620 --> 00:03:51,050 But if I wanted to click on Read, 84 00:03:51,050 --> 00:03:55,116 then you will select all 31 possible API calls from it. 85 00:03:55,116 --> 00:03:57,770 Same for List, et cetera, et cetera. 86 00:03:57,770 --> 00:04:02,040 So for this, let's just allow GetObject, that sounds right. 87 00:04:02,040 --> 00:04:05,370 Okay, now we can choose resources. 88 00:04:05,370 --> 00:04:08,660 And so, when we scroll down, we click on resources, 89 00:04:08,660 --> 00:04:11,470 and it says, okay, what are you allowed to read. 90 00:04:11,470 --> 00:04:13,050 You're allowed to read either 91 00:04:13,050 --> 00:04:16,579 a specific bucket or all resources. 92 00:04:16,579 --> 00:04:19,410 All resources is the star we've seen from before. 93 00:04:19,410 --> 00:04:22,830 But we can also be specific and add ARN. 94 00:04:22,830 --> 00:04:25,580 So to add an ARN, we can look at the ARN we have 95 00:04:25,580 --> 00:04:28,580 for our buckets and we can basically say, 96 00:04:28,580 --> 00:04:31,437 okay the bucket name is thebucketofstephane 97 00:04:32,700 --> 00:04:35,000 and we can take the any here 98 00:04:35,000 --> 00:04:37,730 that would basically change the bucket name to star. 99 00:04:37,730 --> 00:04:41,460 So we'll just leave it to thebucketofstephane 100 00:04:41,460 --> 00:04:43,990 and the object name we can also click on here 101 00:04:43,990 --> 00:04:47,200 saying any star and we just added a slash star right here. 102 00:04:47,200 --> 00:04:49,650 We'll click on add and here basically I've created 103 00:04:49,650 --> 00:04:51,370 a policy just for this. 104 00:04:51,370 --> 00:04:53,750 Then you can specify conditions, they're optional 105 00:04:53,750 --> 00:04:54,780 and they basically allow you 106 00:04:54,780 --> 00:04:56,530 to drill down into the policies. 107 00:04:56,530 --> 00:04:58,200 For now we won't need them. 108 00:04:58,200 --> 00:05:00,747 Let's add additional permissions, if you wanted to. 109 00:05:00,747 --> 00:05:03,160 But we actually don't need it, so we'll remove it. 110 00:05:03,160 --> 00:05:05,024 And we'll review the policy. 111 00:05:05,024 --> 00:05:08,760 Now it turns out I give read access on this resource 112 00:05:08,760 --> 00:05:10,800 for these conditions so I'll just call this, 113 00:05:10,800 --> 00:05:12,350 MyTestS3Manage, no CustomPolicy 114 00:05:17,130 --> 00:05:18,793 and we'll click on create policy. 115 00:05:21,100 --> 00:05:23,630 And now we can click on this policy itself 116 00:05:23,630 --> 00:05:25,330 and we can even look at the JSON. 117 00:05:25,330 --> 00:05:28,400 And so the JSON was generated using the visual editor. 118 00:05:28,400 --> 00:05:33,400 And we can see that we allow S3 get object on this resource. 119 00:05:34,230 --> 00:05:37,050 So this visual editor is actually quite nice. 120 00:05:37,050 --> 00:05:38,850 There's another one you may need to be aware of. 121 00:05:38,850 --> 00:05:43,000 It's called AWS policy generator and just Google it. 122 00:05:43,000 --> 00:05:46,100 And you get the first link and this is basically something 123 00:05:46,100 --> 00:05:48,480 just like that, you can create a policy type. 124 00:05:48,480 --> 00:05:52,440 So for us it was IAM policy and we can say 125 00:05:52,440 --> 00:05:56,600 okay we want to allow on the service S3 the action 126 00:05:56,600 --> 00:05:58,270 and here we get all the actions we want. 127 00:05:58,270 --> 00:06:01,790 So, get object is what we had. 128 00:06:01,790 --> 00:06:05,360 On the ARN I'll just leave star for now to make it simple. 129 00:06:05,360 --> 00:06:08,230 We click on add statements and then generate policy 130 00:06:08,230 --> 00:06:11,210 and this gives us a JSON of what we need. 131 00:06:11,210 --> 00:06:13,430 So these two tools are very similar, 132 00:06:13,430 --> 00:06:17,040 they are both created by AWS, so now I think Amazon 133 00:06:17,040 --> 00:06:20,300 wants you to most likely use the visual editor 134 00:06:20,300 --> 00:06:22,040 we've had in the IAM console. 135 00:06:22,040 --> 00:06:23,710 But just so you know, there is also 136 00:06:23,710 --> 00:06:25,940 this policy generator tool right here. 137 00:06:25,940 --> 00:06:28,620 So from this, you're able to create your policies. 138 00:06:28,620 --> 00:06:30,070 The advantage of creating policies here 139 00:06:30,070 --> 00:06:32,650 is that you can see who is using it 140 00:06:32,650 --> 00:06:34,940 and the version, so you can basically add versions 141 00:06:34,940 --> 00:06:38,910 of that policy to make sure that you can always roll back 142 00:06:38,910 --> 00:06:41,140 to a previous version if it was too permissions 143 00:06:41,140 --> 00:06:42,720 or you get to track as well 144 00:06:42,720 --> 00:06:44,880 all the versions you've ever created. 145 00:06:44,880 --> 00:06:47,070 Coming back to our roles, we can go 146 00:06:47,070 --> 00:06:48,605 and look at our first role, and I'll just close this, 147 00:06:48,605 --> 00:06:52,588 click on our first role, and we can attach our policy 148 00:06:52,588 --> 00:06:54,500 and the one we just created I think was called 149 00:06:54,500 --> 00:06:57,670 test something, my test custom S3 policy 150 00:06:57,670 --> 00:07:01,600 and this type is customer managed and we can attach it. 151 00:07:01,600 --> 00:07:05,270 So here we go, now our S3 EC2 role 152 00:07:05,270 --> 00:07:07,490 only has these three things. 153 00:07:07,490 --> 00:07:09,210 And so because I managed this one, 154 00:07:09,210 --> 00:07:11,770 I'm actually able to probably make it more specific 155 00:07:11,770 --> 00:07:13,770 to my EC2 instance and it's probably 156 00:07:13,770 --> 00:07:15,450 going to be better security. 157 00:07:15,450 --> 00:07:18,438 So that's it to basically create policies. 158 00:07:18,438 --> 00:07:21,613 In the next lecture, I'll just show you how to test them.