This topic describes how to create a custom policy based on the ReadOnlyAccess policy that grants the read-only permissions on the resources of Amazon Web Services (AWS).
Background information
AWS provides the ReadOnlyAccess policy that allows read-only access to storage services such as Amazon Simple Storage Service (Amazon S3). To isolate business data and prevent data leaks, you need a policy that covers the permissions on fewer resources.
Method
You can create a custom policy based on the ReadOnlyAccess policy of AWS by denying the read permissions on a specific databases or storage services.
The sample code in the appendix provides an example on a custom policy that denies the read permissions on the following services:
s3: Amazon S3
dynamodb: Amazon DynamoDB
rds: Amazon Relational Database Service
qldb: Amazon Quantum Ledger Database
cassandra: Amazon Keyspaces (for Apache Cassandra)
codecommitProcedure
Create a stack
1. Log on to the AWS CloudFormation console as an administrator or a power user and select a region. Make sure that the user or role has the operation permissions on AWS Identity and Access Management (IAM).
2. On the Stacks page, click Create stack.
3. On the Create stack page, select Template is ready in the Prerequisite - Prepare template section. In the Specify template section, select Upload a template file, click Choose file, and then upload a file such as the read-only-priciple.cf.yml file.
4. Click Next in the lower-right corner. On the Specify stack details page, enter a descriptive name in the Stack name field. In this example, the name of the stack is AliCloudInspector.
5. In the other steps, use the default settings. On the last page, select I acknowledge that AWS CloudFormation might create IAM resources in the Capabilities section and click Create stack.
6. Wait until the stack is created.
Obtain the stack information
In the AWS CloudFormation console, click the AliCloudInspector stack that you created in the Stacks pane. On the details page, click the Outputs tab. You can view the username, password, AccessKey, and SecretKey of the stack.
Verify the stack information
You can perform a simple test after you obtain the stack information.
Go to the console
Log off from the current user account.
Log on to the AWS CloudFormation console again by using the username and password that you obtained. After you log on to the console, the Reset Password dialog box appears.
Go to the CLI
Replace the values of the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY parameters in the following environment variable template with the AccessKey and SecretKey that you obtained. Import the code to the CLI.
export AWS_ACCESS_KEY_ID=<AK>
export AWS_SECRET_ACCESS_KEY=<SK>
export AWS_DEFAULT_REGION=<Region>Run the following commands to perform the test:
aws s3 ls # Check whether the names of all buckets are listed.
aws s3 cp <object> # Check whether the access to the object is denied.Appendix
read-only-user.cf.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Description: A cloudformation template to create a true read-only user and corresponding AKSK to let AliCloud team be able to access resources but no data.
Resources:
ReadOnlyUser:
Type: AWS::IAM::User
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
LoginProfile:
Password: !Ref AWS::StackId
PasswordResetRequired: true
DenyUnnecessaryPolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: DenyUnnecessaryPermissionsOfReadOnlyAccess
PolicyDocument:
Statement:
- Effect: Deny
Action:
- s3:GetObject*
- dynamodb:BatchGet*
- dynamodb:Get*
- dynamodb:Query
- dynamodb:Scan
- rds:Download*
- glacier:Get*
- qldb:Get*
- cassandra:Select
- codecommit:BatchGet*
- codecommit:Get*
- codecommit:GitPull
Resource: "*"
Users:
- !Ref ReadOnlyUser
CFNKeys:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref ReadOnlyUser
Outputs:
Password:
Value: !Ref AWS::StackId
UserName:
Value: !Ref ReadOnlyUser
Description: Username of new user
AccessKey:
Value:
Ref: CFNKeys
Description: AWSAccessKeyId of new user
SecretKey:
Value:
Fn::GetAtt:
- CFNKeys
- SecretAccessKey
Description: AWSSecretKey of new user