AWS Managed Policy
Within this blog post, we will cover How we can use IAM Managed Policy used to create an IAM User Boundary which will limit a user for the below operations.
- AWS S3 Limited Access [Get, Put, List]
- S3 Access with only single IP Address.
Syntax Template
AWSTemplateFormatVersion: 2010-09-09Description: CFN to create ManagedPolicy
Resources: IBDSReconUserBoundaryPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: A ManagedPolicy meant to restrict user based upon ingress IP. ManagedPolicyName: my_s3_user_boundary Path: / Users: - my_s3_user PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:ListBucket - s3:GetBucketLocation Resource: arn:aws:s3:::my-randon-s3-bucket - Effect: Allow Action: - s3:PutObject - s3:PutObjectAcl Resource: arn:aws:s3:::my-randon-s3-bucketa/bucketfiles/* Condition: IpAddressIfExists: aws:SourceIp: 123.345.657.12
- AWS S3 Limited Access [Get, Put, List]
- S3 Access with only single IP Address.
Syntax Template
AWSTemplateFormatVersion: 2010-09-09Description: CFN to create ManagedPolicyResources:IBDSReconUserBoundaryPolicy:Type: AWS::IAM::ManagedPolicyProperties:Description: A ManagedPolicy meant to restrict user based upon ingress IP.ManagedPolicyName: my_s3_user_boundaryPath: /Users:- my_s3_userPolicyDocument:Version: '2012-10-17'Statement:- Effect: AllowAction:- s3:ListBucket- s3:GetBucketLocationResource: arn:aws:s3:::my-randon-s3-bucket- Effect: AllowAction:- s3:PutObject- s3:PutObjectAclResource: arn:aws:s3:::my-randon-s3-bucketa/bucketfiles/*Condition:IpAddressIfExists:aws:SourceIp: 123.345.657.12