diff --git a/examples/aws/iam.policies/temporary.ro-access.json b/examples/aws/iam.policies/temporary.ro-access.policy.json
similarity index 79%
rename from examples/aws/iam.policies/temporary.ro-access.json
rename to examples/aws/iam.policies/temporary.ro-access.policy.json
index c75e823..324cc7b 100644
--- a/examples/aws/iam.policies/temporary.ro-access.json
+++ b/examples/aws/iam.policies/temporary.ro-access.policy.json
@@ -2,12 +2,8 @@
"Version": "2012-10-17",
"Statement": [
{
+ "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
"Effect": "Allow",
- "Principal": {
- "AWS": [
- "arn:aws:iam::012345678901:user/my-user"
- ]
- },
"Action": [
"s3:GetObject",
"s3:GetObjectAttributes",
@@ -25,4 +21,4 @@
}
}
]
-}
\ No newline at end of file
+}
diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index 286f09e..c7cf03a 100644
--- a/knowledge base/cloud computing/aws/README.md
+++ b/knowledge base/cloud computing/aws/README.md
@@ -6,6 +6,7 @@
1. [Config](#config)
1. [Detective](#detective)
1. [GuardDuty](#guardduty)
+ 1. [EventBridge](#eventbridge)
1. [Inspector](#inspector)
1. [Security Hub](#security-hub)
1. [Resource constraints](#resource-constraints)
@@ -43,12 +44,15 @@ networks. They can communicate with services outside the VPC, but cannot receive
| [EC2] | Virtual machines |
| [ECR] | Container registry |
| [EKS] | Kubernetes clusters |
+| [EventBridge] | FIXME |
| [GuardDuty] | Threat detection |
| [Inspector] | FIXME |
| [S3] | Storage |
| [Sagemaker] | Machine learning |
| [Security Hub] | Aggregator for security findings |
+[Service icons][icons]
+
### CloudWatch
Observability service. with functions for logging, monitoring and alerting.
@@ -112,6 +116,10 @@ Each is assigned a severity value (0.1 to 8+).
_Trusted IP List_ is a whitelist of **public IPs** that will be ignored by the rules.
_Threat IP List_ is a blacklist of **public IPs and CIDRs** that will be used by the rules.
+### EventBridge
+
+FIXME
+
### Inspector
FIXME
@@ -144,10 +152,11 @@ Member accounts can administer Security Hub by delegation if given the permissio
## Resource constraints
-| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
-| --------- | --------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -------- | --------------------------------- | -------- |
-| Tag | Key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:".
The string can contain only the set of Unicode letters, digits, white-space, `_`,' `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$`) | String | 1 to 128 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
-| Tag | Value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, `_`, `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$"`, `[\p{L}\p{Z}\p{N}_.:\/=+\-@]*` on AWS) | String | 0 to 256 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
+| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
+| ------------ | --------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -------- | --------------------------------- | -------- |
+| Statement ID | Value | Optional identifier for a policy statement | The element supports only ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9). | String | FIXME | `[A-Za-z0-9]` | No |
+| Tag | Key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:".
The string can contain only the set of Unicode letters, digits, white-space, `_`,' `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$`) | String | 1 to 128 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
+| Tag | Value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, `_`, `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$"`, `[\p{L}\p{Z}\p{N}_.:\/=+\-@]*` on AWS) | String | 0 to 256 | `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` | Yes |
## Access control
@@ -173,39 +182,62 @@ From [Using service-linked roles]:
### IAM policies
+IAM does not expose policies' `Sid` element in the IAM API, so it can't be used to retrieve statements.
+
Examples:
Give a user temporary RO access to a bucket
-```json
-{
- "Version": "2012-10-17",
- "Statement": [{
- "Effect": "Allow",
- "Principal": {
- "AWS": [
- "arn:aws:iam::012345678901:user/my-user"
- ]
- },
- "Action": [
- "s3:GetObject",
- "s3:GetObjectAttributes",
- "s3:ListBucket",
- "s3:ListBucketVersions"
- ],
- "Resource": [
- "arn:aws:s3:::my-bucket",
- "arn:aws:s3:::my-bucket/*"
- ],
- "Condition": {
- "DateLessThan": {
- "aws:CurrentTime": "2024-03-01T00:00:00Z"
- }
- }
- }]
-}
-```
+1. Create the policy:
+
+ ```json
+ {
+ "Version": "2012-10-17",
+ "Statement": [{
+ "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
+ "Effect": "Allow",
+ "Action": [
+ "s3:GetObject",
+ "s3:GetObjectAttributes",
+ "s3:ListBucket",
+ "s3:ListBucketVersions"
+ ],
+ "Resource": [
+ "arn:aws:s3:::my-bucket",
+ "arn:aws:s3:::my-bucket/*"
+ ],
+ "Condition": {
+ "DateLessThan": {
+ "aws:CurrentTime": "2024-03-01T00:00:00Z"
+ }
+ }
+ }]
+ }
+ ```
+
+ ```sh
+ $ aws iam create-policy --output 'yaml' \
+ --policy-name 'temp-ro-access-my-bucket' --policy-document 'file://policy.json'
+ - Policy:
+ Arn: arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket
+ AttachmentCount: 0
+ CreateDate: '2024-02-25T09:34:12+00:00'
+ DefaultVersionId: v1
+ IsAttachable: true
+ Path: /
+ PermissionsBoundaryUsageCount: 0
+ PolicyId: ANPA2HKHE74L11PTJGB3V
+ PolicyName: temp-ro-access-my-bucket
+ UpdateDate: '2024-02-25T09:34:12+00:00'
+ ```
+
+1. Attach the newly created policy to the user:
+
+ ```sh
+ aws iam attach-user-policy \
+ --user-name 'my-user' --policy-arn 'arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket'
+ ```
@@ -227,6 +259,7 @@ Examples:
- [What is AWS Config?]
- [AWS Config tutorial by Stephane Maarek]
- [Date & time policy conditions at AWS - 1-minute IAM lesson]
+- [IAM JSON policy elements: Sid]
[aws config tutorial by stephane maarek]: https://www.youtube.com/watch?v=qHdFoYSrUvk
+[icons]: https://aws-icons.com/
[date & time policy conditions at aws - 1-minute iam lesson]: https://www.youtube.com/watch?v=4wpKP1HLEXg
[introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b
diff --git a/knowledge base/cloud computing/aws/cli.md b/knowledge base/cloud computing/aws/cli.md
index 32e22b8..f06b060 100644
--- a/knowledge base/cloud computing/aws/cli.md
+++ b/knowledge base/cloud computing/aws/cli.md
@@ -84,6 +84,24 @@ aws iam list-access-keys --user-name 'mario'
# List configured OIDC providers.
aws iam list-open-id-connect-providers
+# Create policies.
+aws iam create-policy \
+ --policy-name 'ro-access-bucket' --policy-document 'file://bucket.ro-access.policy.json'
+
+# Delete policies.
+aws iam delete-policy --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'
+
+# Attach policies.
+aws iam attach-user-policy --user-name 'me-user' \
+ --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'
+
+# Detach policies.
+aws iam detach-user-policy --user-name 'me-user' \
+ --policy-arn 'arn:aws:iam::012345678901:policy/ro-access-bucket'
+
+# Delete user policies.
+aws iam delete-user-policy --user-name 'me-user' --policy-name 'user-ro-access-bucket'
+
# Show RDS instances.
aws rds describe-db-instances