AWS API Policies

Introduction

Usage of all Zadara Cloud Services-supported AWS services and actions are governed by their corresponding AWS-managed policies. These policies can be assigned per project to users, groups of users, and STS (Security Token Service) Roles. Zadara Cloud Services usage is governed by Zadara IaaS (Infrastructure as a Service) policies together with Zadara Cloud Services roles. Zadara Cloud Services supports both AWS Managed Policies and Zadara Cloud Services Managed Policies.

AWS IAM API Policies and AWS Roles Overview

The following section provides different examples in the use of policies and roles.

  1. Policies are attached to users, groups or IAM roles only within the context of a project.

    image5

    User-1 will have the permissions defined in IAM Policy 1 and IAM Policy-2 only when working within the context of Project-1. When working within the context of Project-2, User-1 will have the permissions defined in IAM Policy-3 and Policy-4.

  2. Policies attached to users and groups within the context of the same project are aggregated.

    image6

    User-1 will have the permissions defined in IAM Policy-1 and IAM Policy-2 in addition to those defined in IAM Policy-5 and IAM Policy-6. On the other hand, User-2 will have the permissions defined in IAM Policy-5 and IAM Policy-6 when working within the context of Project-1. But when working within the context of Project-3, they will both have the permissions defined in IAM Policy-1 and Policy-2.

  3. An IAM role with attached IAM policies which is added to a user, grants the user temporary credentials within the context of the IAM role’s project, once assumed.

    image7

    When User-3 assumes IAM Role-1, he will have the temporary permissions defined in IAM Policy-7 and IAM Policy-8, when working within the context of Project-1. When working within the context of Project-2, User-3 will have the permanent permissions defined in IAM Policy-1 and IAM Policy-4.

  4. An IAM role with attached IAM policies which is attached to an Instance via an instance profile, grants the instance permanent credentials within the context of the IAM role’s project.

    image8

    Instance-1 will have the permissions defined in Policy-6 and Policy-9, permanently, when working within the context of Project-4.

Managed AWS API Policies Supported by Zadara-IaaS

Zadara Cloud Services-managed AWS IAM API policies

Name

Description

AmazonS3BucketManagement

Provides the ability to create buckets and read their data.

EC2AMIDeleteOnly

Provides the ability to delete an EC2 AMI.

EC2AMIDescribeInstances

Provides the ability to describe instances (including their statuses and attributes), and to create and describe images.

EC2AMIFullAccess

Provides full access to all EC2 AMI actions.

EC2AMIReadOnlyAccess

Provides read only access to all EC2 AMI actions.

EC2ManageInstances

Provides read-only access to all EC2 (which includes EC2, VPC, EBS, VM Import/Export) actions, in addition to permission to start and stop EC2 instances.

MemberFullAccess

Provides limited access to IAM policies and full access to all other supported services.

STSAssumeRole

Provides the ability to obtain an IAM role using the “assume-role” action.

STSFullAccess

Provides full access to all STS actions.

ZCS-managed policy definitions

JSON policy definition examples

Examples of JSON policy definitions for ZCS managed IAM policies:

EC2AMIDeleteOnly

JSON policy definition for the EC2AMIDeleteOnly ZCS managed IAM policy:

[
   {
      "Action": [
         "ec2:DeregisterImage"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]
EC2AMIDescribeInstances

JSON policy definition for the EC2AMIDescribeInstances ZCS managed IAM policy:

[
   {
      "Action": [
         "ec2:DescribeImageAttribute",
         "ec2:DescribeImages",
         "ec2:CreateImage",
         "ec2:DescribeInstanceAttribute",
         "ec2:DescribeInstanceStatus",
         "ec2:DescribeInstances"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]
EC2AMIFullAccess

JSON policy definition for the EC2AMIFullAccess Zadara IaaS-managed IAM policy:

[
   {
      "Action": [
         "ec2:*Tags",
         "ec2:*Image*"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]
EC2AMIReadOnlyAccess

JSON policy definition for the EC2AMIReadOnlyAccess ZCS managed IAM policy:

[
   {
      "Action": [
         "ec2:Describe*Image*",
         "ec2:DescribeTags"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]
EC2ManageInstances

JSON policy definition for the EC2ManageInstances ZCS managed IAM policy:

[
      {
      "Action": [
         "ec2:RebootInstances",
         "ec2:Describe*",
         "autoscaling:Describe*",
         "ec2:StartInstances",
         "ec2:DescribeTags",
         "elasticloadbalancing:Describe*",
         "ec2:StopInstances",
         "cloudwatch:GetMetricStatistics",
         "cloudwatch:Describe*",
         "cloudwatch:ListMetrics"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]
MemberFullAccess

JSON policy definition for the MemberFullAccess ZCS managed IAM policy:

[
   {
      "NotAction": [
         "iam:*"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   },
   {
      "Action": [
         "iam:ChangePassword",
         "iam:GetUser",
         "iam:CreateAccessKey",
         "iam:ListAccessKeys",
         "iam:DeleteAccessKey"
      ],
      "Resource": [
         "arn:aws:iam::*:user/${aws:username}"
      ],
      "Effect": "Allow"
   },
   {
      "Action": [
         "iam:GetRole",
         "iam:ListAttachedRolePolicies",
         "iam:ListRoles",
         "iam:*InstanceProfile*",
         "iam:GetPolicy",
         "iam:GetPolicyVersion"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   },
]
STSAssumeRole

JSON policy definition for the STSAssumeRole ZCS managed IAM policy:

[
   {
      "NotAction": [
         "iam:*"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   },
   {
      "Action": [
         "iam:ChangePassword",
         "iam:GetUser",
         "iam:CreateAccessKey",
         "iam:ListAccessKeys",
         "iam:DeleteAccessKey"
      ],
      "Resource": [
         "arn:aws:iam::*:user/${aws:username}"
      ],
      "Effect": "Allow"
   },
   {
      "Action": [
         "iam:GetRole",
         "iam:ListAttachedRolePolicies",
         "iam:ListRoles",
         "iam:*InstanceProfile*",
         "iam:GetPolicy",
         "iam:GetPolicyVersion"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   },
]
STSFullAccess

JSON policy definition for the STSFullAccess ZCS managed IAM policy:

[
   {
      "Action": [
         "sts:*"
      ],
      "Resource": [
         "*"
      ],
      "Effect": "Allow"
   }
]

Working with Managed AWS API Policies

Working with Managed AWS API Policies via the GUI

  1. To retrieve the full list of ZCS-supported managed AWS API policies:

    1. Navigate to the Identity & Access > AWS API Policies view.

  2. To display the JSON policy definition of a specific managed AWS API policy:

    1. In the Identity & Access > AWS API Policies view, click on the desired policy and select the Policy tab. The policy definition will be displayed.

  3. To display all the users, groups and roles assigned to a specific managed AWS API policy:

    1. In the Identity & Access > AWS API Policies view, click on the desired policy and select the Assignments tab. A list of all of the users, groups and roles assigned to this policy will be displayed.

Working with Managed AWS API Policies via the CLI

  1. To retrieve the entire list of Zadara Cloud Services-supported managed AWS API policies:

    1. Enter the following command:

      Zadara Cloud Services @ Account-1/Project-1 > policy list
      
      The list of all Zadara Cloud Services-supported managed policies will
      be displayed, together with their IDs.
      
  2. To display the JSON policy definition of a specific policy:

    1. First locate the ID of the desired policy from the list of policies with the previous command:

      Zadara Cloud Services @ Account-1/Project-1 > policy list
      
    2. Using the ID of the desired policy, enter the following command to get its policy definition:

      Zadara Cloud Services @ Account-1/Project-1 > policy get ced7e6aca00340bd84e396c71763c7d8
      

      A variety of details about this policy including its policy definition will be displayed.

  3. To display all of the users, groups and roles assigned to a specific policy:

    1. First locate the ID of the desired policy from the list of policies with the previous command:

      Zadara Cloud Services @ Account-1/Project-1 > policy list
      
    2. Using the ID of the desired policy, enter the following command to get its policy definition:

      Zadara Cloud Services @ Account-1/Project-1 > policy get-entities ced7e6aca00340bd84e396c71763c7d8
      

      All of the users, groups and roles attached to the selected policy, will be displayed.

  4. To display all the assigned policies for all of users, groups and roles:

    1. Enter the following command:

      Zadara Cloud Services @ Account-1/Project-1 > policy assignments-list
      

      All of the assigned policies for all users, groups and roles, will be displayed.