adding in some read-only permissions that Amazon missed
Amazon has created a Managed Policy in IAM named ReadOnlyAccess, which grants read-only access to AWS resources and API calls that make no changes to the account. At Campus Explorer, we depend on this convenient managed policy for our read-only roles–though we add a few Deny statements as we don’t believe, for example, that pulling messages off of an SQS queue really belongs in a read-only role.
In theory, and mostly in practice, Amazon manages this managed policy so that we don’t have to keep up with all of the changing API calls from new services and new features in existing services.
My colleague, Jennine Townsend, practices security conscious living and therefore spends most of the time using the AWS console and AWS CLI with an IAM role that has read-only access to our AWS accounts. She switches to roles that have permission to make changes only when necessary (and then uses code that has been tested and added to revision control).
Last week, Jennine was streaming the AWS re:Invent keynotes where Amazon announced some great new services and new features for existing services. Naturally, she went to check them out using the AWS console and aws-cli.
However, even where these services were available in the console and CLI, she ran into permission problems. It turns out that Amazon had not (and still has not) updated the ReadOnlyAccess managed policy in IAM.
This is exactly what a managed policy is for. We attach it to our own roles and let Amazon manage what the specific rules are that make the most sense for that policy without every customer having to make the updates themselves.
Note to Amazon: Please add “Update Managed Policies” to the checklist for launching APIs for new services and features.
Solution
Jennine put together the following managed policy that you can add to your account so that you can access the new features that AWS is making available in Elasticsearch and Config Rules.
This also provides some read-only features that are missing for other services like CloudTrail. For example, CloudTrail recommends including “cloudtrail:LookupEvents” in a read-only policy, but that is missing in the managed policy provided by Amazon.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccessSupplemental",
"Action": [
"es:Describe*",
"es:List*",
"config:List*",
"cloudtrail:LookupEvents"
],
"Effect": "Allow",
"Resource": "*",
"Condition": { "Bool": { "aws:SecureTransport": "true" } }
}
]
}
Setup
Using the aws-cli, you can create this managed policy with a command like:
policy_name=ReadOnlyAccessSupplemental
policy_arn=$(aws iam create-policy \
--policy-name "$policy_name" \
--description 'Use in combination with Amazon managed ReadOnlyAccess policy.' \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccessSupplemental",
"Action": [
"es:Describe*",
"es:List*",
"config:List*",
"cloudtrail:LookupEvents"
],
"Effect": "Allow",
"Resource": "*",
"Condition": { "Bool": { "aws:SecureTransport": "true" } }
}
]
}' \
--output text \
--query 'Policy.Arn')
echo policy_arn=$policy_arn
Then attach the managed policy to your existing role, group, or user.
# role
role_name="readonly" # Replace with your role name
aws iam attach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn"
# group
group_name="readonly" # Replace with your group name
aws iam attach-group-policy \
--group-name "$group_name" \
--policy-arn "$policy_arn"
# user
user_name="bilbo" # Replace with your user name
aws iam attach-user-policy \
--user-name "$user_name" \
--policy-arn "$policy_arn"
Cleanup
If you created the above managed policy and wish to remove it, then detach from any users, groups, roles you had attached it to:
aws iam detach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn"
aws iam detach-group-policy \
--group-name "$group_name" \
--policy-arn "$policy_arn"
aws iam detach-user-policy \
--user-name "$user_name" \
--policy-arn "$policy_arn"
and delete the managed policy itself:
aws iam delete-policy \
--policy-arn "$policy_arn"
Sources
The recommended readonly rules for Amazon Elasticsearch, AWS Config, and CloudTrail were found in these documents: