How can I structure the IAM role policy if AWS for necessary permission while maintaining the security of AWS infrastructure?
I am currently engaged in managing the AWS infrastructure for a large e-commerce platform. My team needs to grant temporary access to a particular group of developers for a specific project, allowing them to create and manage the EC2 Instance but restrict their access to the other services. How can I structure the IAM role policy to ensure the developers have the necessary permission while maintaining security?
In the context of AWS, you can create an IAM role with a custom policy attached by using the several steps which are given below:-
Firstly, try to create an IAM policy with permission limited for creating and managing the EC2 Instance:-
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:RunInstances”,
“ec2:TerminateInstances”,
“ec2:StartInstances”,
“ec2:StopInstances”,
“ec2:RebootInstances”,
“ec2:DescribeInstances”,
“ec2:DescribeInstanceStatus”,
“ec2:DescribeInstanceAttribute”,
“ec2:GetConsoleOutput”,
“ec2:CreateTags”
],
“Resource”: “*”
}
]
}Now you can create an IAM role and then attach the custom policy to it:-
Aws iam create-role –role-name DeveloperRole –assume-role-policy-document file://trust-policy.json
Aws iam put-role-policy –role-name DeveloperRole –policy-name EC2ManagementPolicy –policy-document file://ec2-management-policy.json
Below is a python script given which would combine the creation of an IAM role, custom policy, and the attachment of the policy to the role by using the Boto3 library which is the aww SDK for Python programming language:-
Import boto3
Import json
# Initialize AWS IAM client
Iam_client = boto3.client(‘iam’)
# Define the trust policy document
Trust_policy = {
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “ec2.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}# Define the custom policy document for EC2 management
Ec2_management_policy = {
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“ec2:RunInstances”,
“ec2:TerminateInstances”,
“ec2:StartInstances”,
“ec2:StopInstances”,
“ec2:RebootInstances”,
“ec2:DescribeInstances”,
“ec2:DescribeInstanceStatus”,
“ec2:DescribeInstanceAttribute”,
“ec2:GetConsoleOutput”,
“ec2:CreateTags”
],
“Resource”: “*”
}
]
}# Create the IAM role
Role_response = iam_client.create_role(
RoleName=’DeveloperRole’,
AssumeRolePolicyDocument=json.dumps(trust_policy)
)
# Get the Role ARN from the response
Role_arn = role_response[‘Role’][‘Arn’]
# Attach the custom policy to the IAM role
Iam_client.put_role_policy(
RoleName=’DeveloperRole’,
PolicyName=’EC2ManagementPolicy’,
PolicyDocument=json.dumps(ec2_management_policy)
)
Print(f”IAM Role created with ARN: {role_arn}”)
Print(“Custom policy attached for EC2 management.”)