This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Appendix B: Example IAM user policies
This section provides example IAM user policies for a class that uses AWS services, including policies for the professor, teaching assistant, and students. These policies are useful for setting up the “Limited User Access to AWS Management Console” and “Separate AWS Account for Each User” scenarios described earlier in this whitepaper. For more information about policies, see Policies and permissions in IAM.
Example policies for professor (administrator)
-
Full administrator access:
{ "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }] }
-
Billing access:
{ "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }] }
-
Usage access (Example Policies for Teaching Assistant):
{ "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewUsage" ], "Resource": "*" }] }
-
Full administrator access but no access for billing or usage information:
{ "Statement":[{ "Effect":"Allow", "Action":"*", "Resource":"*" }, { "Effect":"Deny", "Action":"aws-portal:*", "Resource":"*" }] }
Example Policies for Students
-
Permission to create and describe Amazon EBS volumes:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeVolumes", "ec2:DescribeAvailabilityZones", "ec2:CreateVolume", "ec2:DescribeInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:region:111122223333:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/purpose": "test" } } }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:region:111122223333:volume/*" } ] }
-
Permission to create and modify Amazon EC2 instances:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeInstanceTypes", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*" } ] }
-
Prevents modifying resource tags:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "*"], "Effect": "Deny" }] }
-
For instances with a student tag, allows students to restart, stop, reboot, attach volumes, and detach volumes. If the professor or teaching assistant applies a student tag with the value being the IAM user name of specific students to specific instances, then those students can stop, reboot, attach volumes to, and detach volumes to those instances. They can also start instances that they stopped (that still have the student tag on them), but they can’t start new ones.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "ec2:AttachVolume", "ec2:DetachVolume" ], "Condition": { "StringEquals": { "ec2:ResourceTag/Student":"${aws:username}" } }, "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:volume/*" ], "Effect": "Allow" }] }