| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Controlling User Access to Your AWS Account
Topics
ElastiCache allows you to control access to your cache clusters using cache security groups. A cache security group acts like a firewall controlling network access to your cache cluster.
Important
ElastiCache uses cache security groups to control who has access to specific ElastiCache cache clusters. There's no way in the IAM system to allow or deny access to a specific cache cluster.
For more information about using security groups with ElastiCache, refer to the Amazon ElastiCache User Guide.
ElastiCache Group Security and IAM
Using IAM with ElastiCache doesn't change how you use ElastiCache cache security groups to grant access to cache clusters. However, you can use IAM policies to specify which ElastiCache actions a User in your AWS Account can use with ElastiCache resources in general. Because you can't specify a particular cache cluster in the policy, you must specify * as the resource to indicate all cache clusters in the AWS Account.
Example
You could create a policy that gives the Developers group permission to use
only these APIs: CreateCacheCluster,
DescribeCacheClusters,
ModifyCacheCluster,
RebootCacheCluster,
DeleteCacheCluster,
DescribeEvents. They could then use those APIs with any
cache cluster that belongs to your AWS Account.
For examples of IAM policies that cover ElastiCache actions, see Example Policies for ElastiCache.
No ElastiCache ARNs
Because you can't specify a particular ElastiCache resource in an IAM policy, ElastiCache has no ARNs. When writing a policy to control access to ElastiCache actions, you use * as the resource. For more information about ARNs, go to ARNs in the AWS Identity and Access Management (IAM) documentation.
ElastiCache Actions
In an IAM policy, you can specify any and all actions that ElastiCache
offers. Each action name must be prefixed with the lowercase string
elastiCache:. For example: elastiCache:ModifyCacheCluster,
elastiCache:DescribeCacheCluster, or elastiCache:* (for all ElastiCache
actions). For a list of the actions, refer to the Query API action names
in the ElastiCache API Reference.
ElastiCache Keys
ElastiCache implements the following policy keys, but no others. For more information about policy keys, go to Condition in the in the AWS Identity and Access Management (IAM) documentation.
AWS-Wide Policy Keys
aws:CurrentTime—To check for date/time conditions.aws:EpochTime—To check for date/time conditions using a date in epoch or UNIX time.aws:MultiFactorAuthAge—To check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA). Unlike other keys, if MFA is not used, this key is not present.aws:principaltype—To check the type of principal (user, account, federated user, etc.) for the current request.aws:SecureTransport—To check whether the request was sent using SSL. For services that use only SSL, such as Amazon RDS and Amazon Route 53, theaws:SecureTransportkey has no meaning.aws:SourceArn—To check the source of the request, using the Amazon Resource Name (ARN) of the source. (This value is available for only some services. For more information, see Amazon Resource Name (ARN) under "Element Descriptions" in the Amazon Simple Queue Service Developer Guide.)aws:SourceIp—To check the IP address of the requester. Note that if you useaws:SourceIp, and the request comes from an Amazon EC2 instance, the public IP address of the instance is evaluated.aws:UserAgent—To check the client application that made the request.aws:userid—To check the user ID of the requester.aws:username—To check the user name of the requester, if available.
Note
Key names are case sensitive.
Example Policies for ElastiCache
This section shows a few simple policies for controlling user access to Amazon ElastiCache.
Note
In the future, ElastiCache might add new actions that should logically be included in one of the following policies, based on the policy’s stated goals.
Example 1: Allow a Network Admin group to only be able to access the APIs related to ElastiCache security groups
In this example, we create a policy that gives access to the relevant actions and attach it to the group. The resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.
{
"Statement":[{
"Effect":"Allow",
"Action":["elasticache:CreateCacheSecurityGroup",
"elasticache:DeleteCacheSecurityGroup",
"elasticache:DescribeCacheSecurityGroup",
"elasticache:AuthorizeCacheSecurityGroupIngress",
"elasticache:RevokeCacheSecurityGroupIngress"],
"Resource":"*"
}
]
}Example 2: Allow managers to only be able to list the current ElastiCache resources in the AWS Account
In this example, we create a policy that lets managers use the ElastiCache
actions with Describe in the name.
{
"Statement":[{
"Effect":"Allow",
"Action":"elasticache:Describe*",
"Resource":"*"
}
]
}Example 3: Allow a system administrator to access a select set of ElastiCache actions
In this example, we create a policy that gives access to the relevant actions for system administrators and attach it to the group. As with the other examples, the resource is stated as "*", because you can't specify a particular ElastiCache resource in an IAM policy.
{
"Statement":[{
"Effect":"Allow",
"Action":["elasticache:ModifyCacheCluster",
"elasticache:RebootCacheCluster",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeEvents",
"elasticache:ModifyCacheParameterGroup",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:ResetCacheParameterGroup",
"elasticache:DescribeEngineDefaultParameters"],
"Resource":"*"
}
]
}Failure to Retrieve Account Attributes
Recent changes to ElastiCache may cause an error for some IAM users that were set up with permissions based on the ElastiCache Full Access policy templates. The error may display "Failed to retrieve account attributes, certain console functions may be impaired." shown at the top of the page or "Error calling EC2.DescribeSecurityGroups". The error is caused by the console invoking actions that have not explicitly been given permissions in the ElastiCache Full Access policies.
In order to resolve this issue, your IAM administrator must update the IAM user's
policy document to allow two additional Amazon EC2 actions:
ec2:DescribeAccountAttributes and
ec2:DescribeSecurityGroups. You must make this change for any IAM
user or group that was assigned a policy that was based on the ElastiCache Full Access
policy templates.
For example, the following code is the default policy document for the ElastiCache Full Access policy template.
{
"Statement": [
{
"Action": [
"elasticache:*",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeAlarms",
"sns:ListTopics",
"sns:ListSubscriptions"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Add the two additional actions stated above to get the following policy document that will give permission to the console to invoke the needed actions.
{
"Statement": [
{
"Action": [
"elasticache:*",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSecurityGroups",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeAlarms",
"sns:ListTopics",
"sns:ListSubscriptions"
],
"Effect": "Allow",
"Resource": "*"
}
]
}For information about updating IAM policies, see Managing IAM Policies.
