in

Create two AWS IAM roles.

Create IAM Roles 2021

IAM ( Identity & Access Management )

Let’s create two AWS IAM roles, Easy way!!!

Create AWS IAM Identity Policies
You manage access in AWS by creating policies and attaching them to IAM entities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a Principal entity (user or role) makes a request.
Identity-based policies are JSON (JavaScript Object Notation) permissions policy documents that you can attach to an identity (user, group of users, or role) to manage access. A JSON policy document includes these elements:
● Optional policy-wide information at the top of the document
● One or more individual statements
Each statement in a policy includes information about single permission. If a policy includes multiple
statements, AWS applies a logical OR across the statements when evaluating them.
The information in a statement is contained within a series of elements.
1. Version – Specify the version of the policy language that you want to use.
2. Statement – Container for the following elements:
-Sid – Include an optional statement ID to differentiate between your statements.
– Effect – Use Allow or Deny indicating whether the policy allows or denies access.
– Principal – We will NOT use this element in this lab. The Principal element is used in
resource policy statements to identify the Principal (account, user, role, or federated user)
to which you would like to allow or deny access. This element is NOT used when creating
IAM identity policies. In IAM identity policies the Principal is implied from the user or role
that the policy is attached.
–  Action – Include a list of actions that the policy allows or denies.
–  Resource – Specify a list of resources to which the actions apply.
–  Condition (Optional) – Specify the circumstances under which the policy grants
permission.
If you want to define more than one permission for an entity (user, group, or role), you can use multiple statements in a single policy. You can also attach multiple policies to an IAM entity to manage access.
For example, figure 1 has two permission statements included in the policy that enable all DynamoDB actions against two tables located us-east-1 and us-west-2 regions in the AWS Account 123456789012.
Figure 1. Example IAM Identity Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": [ "arn:aws:dynamodb:us-east-1: 123456789012 :table/MyTestApp_DDB_Table" ]
},
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": [ "arn:aws:dynamodb:us-west-2: 123456789012 :table/MyTestApp_DDB_Table" ]
}
]
}

 

We will now create an AWS IAM roles – IAM identity policies using the AWS console.
1. Log in to the AWS account you plan to use for this lab. Ensure that you authenticate using an
identity that has been granted administrative access in the AWS account. It is recommended
that you use an identity that has the AdministratorAccess policy
( arn:AWS:iam::aws: policy/AdministratorAccess ) attached.
2. Access the AWS IAM console ( https://console.aws.amazon.com/iam/home#/home ) and select
Policies from the sidebar or go to
https://console.aws.amazon.com/iam/home?region=us-east-1#/policies . Click Create Policy. On
the “Create Policy” screen, select the JSON tab, and paste the policy contents from figure 2 below
into the JSON text editing panel in the AWS console.
The policy has 3 statements. When attached to an IAM entity these statements:
● Allow the Principal (e.g. User) to execute all Elastic Compute Cloud (EC2) actions against EC2
instances that have the same department tag as the Principal attempting to perform the action.
● Allow the Principal (e.g. User) to describe all EC2 instances within the AWS account.
● Explicitly deny the Principal (e.g. User) access to manipulate IAM or EC2 tags within the AWS
account.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Figure 2. The departmental-ec2-access policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDepartmentEC2Management",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "${aws:PrincipalTag/department}"
}
}
},
{
"Sid": "AllowEC2DescribeAll",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "DenyTagManagement",
"Effect": "Deny",
"Action": [
"iam:UntagUser",
"iam:UntagRole",
"ec2:DeleteTags",
"ec2:CreateTags",
"iam:TagRole",
"iam:TagUser"
],
"Resource": "*"
}
]
}

 

Note: aws:PrincipalTag is an AWS Global Condition Context Key . AWS provides context keys which
can be used in IAM policies to restrict access. In this IAM policy, we use it to check that the tag attached
to the IAM Principal (e.g. User) making the request. This policy uses the StringEquals operator to
compare the value of the department key attached to the IAM Principal with the department key of the
EC2 resource they are attempting to access using the Amazon EC2 ec2:ResourceTag condition key.
3. After pasting the policy from figure 2 into the JSON editor in the AWS Console. Click “Review
policy”.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4. Name the policy “departmental-ec2-access” and optionally, add a description. Click “Create
policy”.
5. Policy creation is confirmed as you are returned the IAM console policy dashboard.
6. Repeat steps 1 through 5 to create a second policy. Name the policy
“contractorsroleassumptionpolicy”. On the create policy screen, use the policy provided in Figure
3. This policy allows the assumption of an IAM Role if the condition is met that the role has a tag
with a key of contractorsassumerole and a value of true.
Figure 3. The contractorsassumerole policy

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {"StringLike": {"iam:ResourceTag/contractorsassumerole": "true"}}
}
}

 

Congratulations! You have created two IAM Identity policies . These policies are customer-managed
policies. Customer managed policies are standalone identity–based policies that you create and which
you can attach to multiple IAM users, groups, or roles in your AWS account.
Part Two: Create IAM Users
1. Access the AWS IAM console and select Users from the sidebar or go to
https://console.aws.amazon.com/iam/home?region=us-east-1#/users. Click Create User.
2. On the “Add user” screen, under “Set User Details” enter “Anne” in the User name field
3. On the “Add user” screen, under “Select AWS access type“, check the checkbox to enable AWS
Management Console access. Do not enable programmatic access. Under “Console password ”
select the Custom password radio button and enter a password in the text box – make a note of
this password since it will be needed to later to test the security configuration. Ensure the
“Require password reset” checkbox is unchecked. Click “Next: Permissions”.

Read more from here!

Click here to Read more articles about AWS IAM roles at Ulearn-Hub

Add your submission

Image Video Audio Embed

This field is required

Drop Images Here

or

You don't have javascript enabled. Media upload is not possible.

Get image from URL

Maximum upload file size: 2 MB.

Processing...

This field is required

Drop Video Here

or

You don't have javascript enabled. Media upload is not possible.

e.g.: https://www.youtube.com/watch?v=WwoKkq685Hk

Add

Some of the supported services:

Maximum upload file size: 10 MB.

Processing...

This field is required

Drop Audio Here

or

You don't have javascript enabled. Media upload is not possible.

e.g.: https://soundcloud.com/community/fellowship-wrapup

Add

Some of the supported services:

Maximum upload file size: 5 MB.

Processing...

This field is required

e.g.: https://www.youtube.com/watch?v=WwoKkq685Hk

Some of the supported services:

Processing...

This post was created with our nice and easy submission form. Create your post!

What do you think?

Written by Dann. N

This is Dann, with 11+ years in the IT industry trying to share his passion with people which are showing interest in changing, growing their careers.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading…

0