The article on creating policy on AWS IAM

Quite often, the user on AWS service needs to be limited AWS resource access. This article demonstrates how to set AWS access policy. The policy allows the users to access AWS security group section and to list EC2 instance existing on AWS. 

Type the word "IAM" as picture shown below


 List down menu displays link to IAM page. On the left panel, find the "Policies" to click on it
















Then, click on the Create policy button 


Now, the user will land on the page
Click on "JSON" tab. Paste these JSON text to the input box

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeVpcs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeStaleSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress"
            ],
            "Resource": [
                "arn:aws:ec2:*:614473175879:security-group/sg-08e4a8b7369741207",
                "arn:aws:ec2:*:614473175879:security-group/sg-0bb9e5e05176968f5"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress"
            ],
            "Resource": "*"
        }
    ]
}

With this policy attached to the user, the user can access AWS resource by listing down security group. See picture below



This is the command on prompt

aws ec2 --profile testec2 describe-security-groups --query “SecurityGroups[*].{Name:GroupName,ID:GroupId}”

Now, the next command will modify the security group. It add the local computer IP address to the security group on RDP port 3389

First, find the computer local IP address. Go to search


The IP address will show as search result

Now, in command prompt window, put this command:

c:\> aws ec2 --profile testec2 authorize-security-group-ingress --group-id sg-08e4a8b7369741207 --protocol tcp --port 3389 --cidr 49.228.39.251/32

Now this IP address will be added to the security group as show in below picture


To remove this IP address, run the below command

c:\> aws ec2 --profile testec2 revoke-security-group-ingress --group-id sg-08e4a8b7369741207 --protocol tcp --port 3389 --cidr 49.228.39.251/32

Please leave your comment. Thank you for reading

Comments

Post a Comment