ポリシーを定義する

Inline Policy (AWS::IAM::Policy)

設定した対象のみに適用。User, Group, Roleに対して設定することができる。
複数のGroupに同じ内容をコピペが必要など面倒だった。

Managed Policy (AWS::IAM::ManagedPolicy)

複数に適用できる。独立したポリシーとして定義して参照することができる。
AWS既定のAWS Managed Policy、ユーザによって作成可能なCustomer Managed Policyがある。

Customer Managed Policyを定義する

たとえばDynamoDBの特定のテーブル(mytable************)をRead、Write可能とするポリシーの例。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Resources:
  MyGroupPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "can read mytable only"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "AllowReadDynamoDBMyTables"
            Effect: "Allow"
            Action:
              - "dynamodb:DescribeTable"
              # Read
              - "dynamodb:BatchGet*"
              - "dynamodb:Get*"
              - "dynamodb:Query"
              - "dynamodb:Scan"
              # Write
              - "dynamodb:BatchWrite*"
              - "dynamodb:Update*"
              - "dynamodb:PutItem"
              - "dynamodb:Delete*"
            Resource:
              - !Sub arn:aws:dynamodb:*:*:table/${TableName}*
              - !Sub arn:aws:dynamodb:*:*:table/${TableName}*/index/*

ポリシーを適用したIAMユーザを作成する

グループを定義してポリシーをアタッチする

1
2
3
4
5
6
MyIamGroup:
  Type: AWS::IAM::Group
  Properties:
    GroupName: !Ref MyIamGroupName
    ManagedPolicyArns:
      - !Ref MyGroupPolicy

ユーザを定義してポリシーをアタッチする

1
2
3
4
5
6
7
8
Resources:
  MyIamUser:
    Type: AWS::IAM::User
    Properties:
      Groups: 
        - !Ref MyIamGroup
      UserName:
        !Ref MyIamUserName

アクセスキーを作る

1
2
3
4
5
Resources:
  MyIamAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref MyIamUser

作成したアクセスキーのSecretは!GetAtt MyIamAccessKey.SecretAccessKeyで参照できる。

上記を統合したCloudFormation定義

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
AWSTemplateFormatVersion: "2010-09-09"
Description: "Read Only Users for DynamoDB MyTables"

Metadata:
# ------------------------------------------------------------ #
# Input Parameters
# ------------------------------------------------------------ #
  "AWS::CloudFormation::Interface":
    ParameterGroups:
      - Label:
          default: "mytable"
        Parameters:
          - TableName
      - Label:
          default: "mygroup"
        Parameters:
          - MyIamGroupName
      - Label:
          default: "myuser"
        Parameters:
          - MyIamUserName

    ParameterLabels:
      TableName:
        default: "mytable"
      MyIamGroupName:
        default: "mygroup"
      MyIamUserName:
        default: "myuser"

Parameters:
  TableName:
    Type: String
  MyIamGroupName:
    Type: String
  MyIamUserName:
    Type: String

Resources:
# ------------------------------------------------------------ #
# ManagedPolicy
# ------------------------------------------------------------ #
  MyGroupPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      Description: "can read mytable only"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "AllowReadDynamoDBMyTables"
            Effect: "Allow"
            Action:
              - "dynamodb:DescribeTable"
              # Read
              - "dynamodb:BatchGet*"
              - "dynamodb:Get*"
              - "dynamodb:Query"
              - "dynamodb:Scan"
              # Write
              - "dynamodb:BatchWrite*"
              - "dynamodb:Update*"
              - "dynamodb:PutItem"
              - "dynamodb:Delete*"
            Resource:
              - !Sub arn:aws:dynamodb:*:*:table/${TableName}*
              - !Sub arn:aws:dynamodb:*:*:table/${TableName}*/index/*

# ------------------------------------------------------------ #
# Group
# ------------------------------------------------------------ #
  MyIamGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Ref MyIamGroupName
      ManagedPolicyArns:
        - !Ref MyGroupPolicy

# ------------------------------------------------------------ #
# User
# ------------------------------------------------------------ #
  MyIamUser:
    Type: AWS::IAM::User
    Properties:
      Groups: 
        - !Ref MyIamGroup
      UserName:
        !Ref MyIamUserName

# ------------------------------------------------------------ #
# AccessKey
# ------------------------------------------------------------ #
  MyIamAccessKey:
    Type: AWS::IAM::AccessKey
    Properties:
      UserName: !Ref MyIamUser

# ------------------------------------------------------------ #
# Output Parameters
# ------------------------------------------------------------ #
Outputs:
  CreatedKey:
    Value: !Ref MyIamAccessKey
  CreatedSecret:
    Value: !GetAtt MyIamAccessKey.SecretAccessKey
  CreatedUser:
    Value: !Ref MyIamUser
  CreatedGroup:
    Value: !Ref MyIamGroup
  CreatedManagedPolicy:
    Value: !Ref MyGroupPolicy

参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAndDescribe",
            "Effect": "Allow",
            "Action": [
                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/MyTable"
        }
    ]
}