Full Access to a specific S3 Bucket except DeleteObject

{ “Statement”: [ { “Effect”: “Allow”, “Action”: [ “s3:GetBucketLocation”, “s3:ListAllMyBuckets” ], “Resource”: “arn:aws:s3:::*” }, { “Effect”: “Allow”, “Action”: [ “s3:ListBucket” ], “Resource”: [ “arn:aws:s3:::testbucket-unni” ] }, { “Effect”: “Allow”, “Action”: [ “s3:PutObject”, “s3:GetObject” ], “Resource”: [ “arn:aws:s3:::testbucket-unni/*” ] } ] } Details: Get and List actions given to “arn:aws:s3:::*” to enable console view List action […]

Identity Fed Setup for AWS

sudo apt-get install ruby sudo apt-get install rubygems sudo gem install json sudo gem install cgi-spa sudo gem install rest-open-uri sudo apt-get install libxslt-dev libxml2-dev sudo apt-get install build-essential Create New IAM User to make API calls to STS. (User = identityfed) Attach a Policy using Policy Generator with Amazon STS (the above ARN have […]

Ruby Script by AWS for Identity Federation

#!/usr/bin/ruby require ‘rubygems’ require ‘json’ require ‘open-uri’ require ‘cgi’ require ‘aws-sdk’ # The temporary credentials will normally come from your identity # broker, but for simplicity we create them in place sts = AWS::STS.new(:access_key_id => “AKFFAASVASDE”, :secret_access_key => “irJa8tNsdfavaercravavraWA”) # A sample policy for accessing SNS in the console. policy = AWS::STS::Policy.new policy.allow(:actions => “*”,:resources […]

IAM Users Only for Bucket Access

Ideally we have to IAM Roles if the access credentials is used by an App hosted in EC2, else the following can be setup : Create an IAM Bucket say unni-test Create an IAM User with the same name as bucket say – unni-test Now we can use IAM Variables (here aws:username) to create just […]

ARN – AWS Documentation Excerpts

Here are some example ARNs: <!– AWS Elastic Beanstalk application version –> arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment <!– IAM user name –> arn:aws:iam::123456789012:David <!– Amazon RDS tag –> arn:aws:rds:eu-west-1:001234567890:db:mysql-db <!– Amazon S3 bucket (and all objects in it)–> arn:aws:s3:::my_corporate_bucket/* The following are the general formats for ARNs; the specific components and values used depend on the AWS service. […]

IAM Users Best Practices – Excerpts from AWS Documentation!

Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions. Permissions can be assigned in two ways: as user-based permissions or as resource-based permissions. User-based permissions are attached to an […]