AWS Identity and Access Management template snippets (original) (raw)
This section contains AWS Identity and Access Management template snippets.
Topics
- Declaring an IAM user resource
- Declaring an IAM access key resource
- Declaring an IAM group resource
- Adding users to a group
- Declaring an IAM policy
- Declaring an Amazon S3 bucket policy
- Declaring an Amazon SNS topic policy
- Declaring an Amazon SQS policy
- IAM role template examples
Declaring an IAM user resource
This snippet shows how to declare an AWS::IAM::User resource to create an IAM user. The user is declared with the path ("/") and a login profile with the password (myP@ssW0rd).
The policy document named giveaccesstoqueueonly gives the user permission to perform all Amazon SQS actions on the Amazon SQS queue resource myqueue, and denies access to all other Amazon SQS queue resources. The Fn::GetAtt function gets the Arn attribute of the AWS::SQS::Queue resource myqueue.
The policy document named giveaccesstotopiconly is added to the user to give the user permission to perform all Amazon SNS actions on the Amazon SNS topic resourcemytopic and to deny access to all other Amazon SNS resources. TheRef function gets the ARN of the AWS::SNS::Topic resource mytopic.
JSON
"myuser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path" : "/",
"LoginProfile" : {
"Password" : "myP@ssW0rd"
},
"Policies" : [ {
"PolicyName" : "giveaccesstoqueueonly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}, {
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
}
] }
}, {
"PolicyName" : "giveaccesstotopiconly",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sns:*" ],
"Resource" : [ { "Ref" : "mytopic" } ]
}, {
"Effect" : "Deny",
"Action" : [ "sns:*" ],
"NotResource" : [ { "Ref" : "mytopic" } ]
} ]
}
} ]
}
} YAML
myuser:
Type: AWS::IAM::User
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Policies:
- PolicyName: giveaccesstoqueueonly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource:
- !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource:
- !GetAtt myqueue.Arn
- PolicyName: giveaccesstotopiconly
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sns:*
Resource:
- !Ref mytopic
- Effect: Deny
Action:
- sns:*
NotResource:
- !Ref mytopicDeclaring an IAM access key resource
This snippet shows an AWS::IAM::AccessKey resource. The myaccesskey resource creates an access key and assigns it to an IAM user that is declared as anAWS::IAM::User resource in the template.
JSON
"myaccesskey" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : { "Ref" : "myuser" }
}
} YAML
myaccesskey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref myuserYou can get the secret key for an AWS::IAM::AccessKey resource using theFn::GetAtt function. One way to retrieve the secret key is to put it into an Output value. You can get the access key using the Ref function. The following Output value declarations get the access key and secret key for myaccesskey.
JSON
"AccessKeyformyaccesskey" : {
"Value" : { "Ref" : "myaccesskey" }
},
"SecretKeyformyaccesskey" : {
"Value" : {
"Fn::GetAtt" : [ "myaccesskey", "SecretAccessKey" ]
}
} YAML
AccessKeyformyaccesskey:
Value:
!Ref myaccesskey
SecretKeyformyaccesskey:
Value: !GetAtt myaccesskey.SecretAccessKeyYou can also pass the AWS access key and secret key to an Amazon EC2 instance or Auto Scaling group defined in the template. The following AWS::EC2::Instance declaration uses theUserData property to pass the access key and secret key for themyaccesskey resource.
JSON
"myinstance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"AvailabilityZone" : "us-east-1a",
"ImageId" : "ami-0ff8a91507f77f867",
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"", [
"ACCESS_KEY=", {
"Ref" : "myaccesskey"
},
"&",
"SECRET_KEY=",
{
"Fn::GetAtt" : [
"myaccesskey",
"SecretAccessKey"
]
}
]
]
}
}
}
} YAML
myinstance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: "us-east-1a"
ImageId: ami-0ff8a91507f77f867
UserData:
Fn::Base64: !Sub "ACCESS_KEY=${myaccesskey}&SECRET_KEY=${myaccesskey.SecretAccessKey}"Declaring an IAM group resource
This snippet shows an AWS::IAM::Group resource. The group has a path ("/myapplication/"). The policy document named myapppolicy is added to the group to allow the group's users to perform all Amazon SQS actions on the Amazon SQS queue resource myqueue and deny access to all other Amazon SQS resources exceptmyqueue.
To assign a policy to a resource, IAM requires the Amazon Resource Name (ARN) for the resource. In the snippet, the Fn::GetAtt function gets the ARN of the AWS::SQS::Queue resource queue.
JSON
"mygroup" : {
"Type" : "AWS::IAM::Group",
"Properties" : {
"Path" : "/myapplication/",
"Policies" : [ {
"PolicyName" : "myapppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [ "sqs:*" ],
"Resource" : [ {
"Fn::GetAtt" : [ "myqueue", "Arn" ]
} ]
},
{
"Effect" : "Deny",
"Action" : [ "sqs:*" ],
"NotResource" : [ { "Fn::GetAtt" : [ "myqueue", "Arn" ] } ]
}
] }
} ]
}
}YAML
mygroup:
Type: AWS::IAM::Group
Properties:
Path: "/myapplication/"
Policies:
- PolicyName: myapppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:*
Resource: !GetAtt myqueue.Arn
- Effect: Deny
Action:
- sqs:*
NotResource: !GetAtt myqueue.ArnAdding users to a group
The AWS::IAM::UserToGroupAddition resource adds users to a group. In the following snippet, the addUserToGroup resource adds the following users to an existing group named myexistinggroup2: the existing userexistinguser1 and the user myuser which is declared as anAWS::IAM::User resource in the template.
JSON
"addUserToGroup" : {
"Type" : "AWS::IAM::UserToGroupAddition",
"Properties" : {
"GroupName" : "myexistinggroup2",
"Users" : [ "existinguser1", { "Ref" : "myuser" } ]
}
}YAML
addUserToGroup:
Type: AWS::IAM::UserToGroupAddition
Properties:
GroupName: myexistinggroup2
Users:
- existinguser1
- !Ref myuserDeclaring an IAM policy
This snippet shows how to create a policy and apply it to multiple groups using anAWS::IAM::Policy resource named mypolicy. Themypolicy resource contains a PolicyDocument property that allows GetObject, PutObject, and PutObjectAcl actions on the objects in the S3 bucket represented by the ARNarn:aws:s3:::myAWSBucket. The mypolicy resource applies the policy to an existing group named myexistinggroup1 and a groupmygroup that's declared in the template as an AWS::IAM::Group resource. This example shows how to apply a policy to a group using the Groups property; however, you can alternatively use the Users property to add a policy document to a list of users.
Important
The Amazon SNS policy actions that are declared in the AWS::IAM::Policy resource differ from the Amazon SNS topic policy actions that are declared in the AWS::SNS::TopicPolicy resource. For example, the policy actions sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the AWS::IAM::Policy resource, but are invalid for theAWS::SNS::TopicPolicy resource. For more information about valid Amazon SNS policy actions that you can use with the AWS::IAM::Policy resource, seeSpecial information for Amazon SNS policies in the Amazon Simple Notification Service Developer Guide.
JSON
"mypolicy" : {
"Type" : "AWS::IAM::Policy",
"Properties" : {
"PolicyName" : "mygrouppolicy",
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Action" : [
"s3:GetObject" , "s3:PutObject" , "s3:PutObjectAcl" ],
"Resource" : "arn:aws:s3:::myAWSBucket/*"
} ]
},
"Groups" : [ "myexistinggroup1", { "Ref" : "mygroup" } ]
}
}YAML
mypolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: mygrouppolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
Resource: arn:aws:s3:::myAWSBucket/*
Groups:
- myexistinggroup1
- !Ref mygroupDeclaring an Amazon S3 bucket policy
This snippet shows how to create a policy and apply it to an Amazon S3 bucket using theAWS::S3::BucketPolicy resource. Themybucketpolicy resource declares a policy document that allows theuser1 IAM user to perform the GetObject action on all objects in the S3 bucket to which this policy is applied. In the snippet, theFn::GetAtt function gets the ARN of the user1 resource. Themybucketpolicy resource applies the policy to theAWS::S3::BucketPolicy resource mybucket. The Ref function gets the bucket name of the mybucket resource.
JSON
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Version": "2012-10-17",
"Statement" : [ {
"Sid" : "ReadAccess",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "mybucket" } , "/*" ]
] },
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "user1", "Arn" ] }
}
} ]
},
"Bucket" : { "Ref" : "mybucket" }
}
}YAML
mybucketpolicy:
Type: AWS::S3::BucketPolicy
Properties:
PolicyDocument:
Id: MyPolicy
Version: '2012-10-17'
Statement:
- Sid: ReadAccess
Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "arn:aws:s3:::${mybucket}/*"
Principal:
AWS: !GetAtt user1.Arn
Bucket: !Ref mybucketDeclaring an Amazon SNS topic policy
This snippet shows how to create a policy and apply it to an Amazon SNS topic using theAWS::SNS::TopicPolicy resource. The mysnspolicy resource contains a PolicyDocument property that allows the AWS::IAM::User resource myuser to perform thePublish action on an AWS::SNS::Topic resource mytopic. In the snippet, the Fn::GetAtt function gets the ARN for the myuser resource and the Ref function gets the ARN for the mytopic resource.
Important
The Amazon SNS policy actions that are declared in the AWS::IAM::Policy resource differ from the Amazon SNS topic policy actions that are declared in the AWS::SNS::TopicPolicy resource. For example, the policy actions sns:Unsubscribe and sns:SetSubscriptionAttributes are valid for the AWS::IAM::Policy resource, but are invalid for theAWS::SNS::TopicPolicy resource. For more information about valid Amazon SNS policy actions that you can use with the AWS::IAM::Policy resource, seeSpecial information for Amazon SNS policies in the Amazon Simple Notification Service Developer Guide.
JSON
"mysnspolicy" : {
"Type" : "AWS::SNS::TopicPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyTopicPolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "My-statement-id",
"Effect" : "Allow",
"Principal" : {
"AWS" : { "Fn::GetAtt" : [ "myuser", "Arn" ] }
},
"Action" : "sns:Publish",
"Resource" : "*"
} ]
},
"Topics" : [ { "Ref" : "mytopic" } ]
}
}YAML
mysnspolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Id: MyTopicPolicy
Version: '2012-10-17'
Statement:
- Sid: My-statement-id
Effect: Allow
Principal:
AWS: !GetAtt myuser.Arn
Action: sns:Publish
Resource: "*"
Topics:
- !Ref mytopicDeclaring an Amazon SQS policy
This snippet shows how to create a policy and apply it to an Amazon SQS queue using theAWS::SQS::QueuePolicy resource. ThePolicyDocument property allows the existing user myapp (specified by its ARN) to perform the SendMessage action on an existing queue, which is specified by its URL, and an AWS::SQS::Queue resource myqueue. The Ref function gets the URL for themyqueue resource.
JSON
"mysqspolicy" : {
"Type" : "AWS::SQS::QueuePolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyQueuePolicy",
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "Allow-User-SendMessage",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::123456789012:user/myapp"
},
"Action" : [ "sqs:SendMessage" ],
"Resource" : "*"
} ]
},
"Queues" : [
"https://sqs.us-east-2aws-region.amazonaws.com/123456789012/myexistingqueue",
{ "Ref" : "myqueue" }
]
}
}YAML
mysqspolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Id: MyQueuePolicy
Version: '2012-10-17'
Statement:
- Sid: Allow-User-SendMessage
Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:user/myapp
Action:
- sqs:SendMessage
Resource: "*"
Queues:
- https://sqs.aws-region.amazonaws.com/123456789012/myexistingqueue
- !Ref myqueueIAM role template examples
This section provides CloudFormation template examples for IAM roles for EC2 Instances.
For more information about IAM roles, see Working with roles in the_AWS Identity and Access Management User Guide_.
IAM role with EC2
In this example, the instance profile is referenced by theIamInstanceProfile property of the EC2 Instance. Both the instance policy and role policy reference AWS::IAM::Role.
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myEC2Instance": {
"Type": "AWS::EC2::Instance",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"Monitoring": "true",
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "RootInstanceProfile"
}
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
}YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
Monitoring: 'true'
DisableApiTermination: 'false'
IamInstanceProfile:
!Ref RootInstanceProfile
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRoleIAM role with AutoScaling group
In this example, the instance profile is referenced by theIamInstanceProfile property of an AutoScaling Group launch configuration.
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myLCOne": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Version": "2009-05-15",
"Properties": {
"ImageId": "ami-0ff8a91507f77f867",
"InstanceType": "m1.small",
"InstanceMonitoring": "true",
"IamInstanceProfile": { "Ref": "RootInstanceProfile" }
}
},
"myASGrpOne": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Version": "2009-05-15",
"Properties": {
"AvailabilityZones": [ "us-east-1a" ],
"LaunchConfigurationName": { "Ref": "myLCOne" },
"MinSize": "0",
"MaxSize": "0",
"HealthCheckType": "EC2",
"HealthCheckGracePeriod": "120"
}
},
"RootRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": [ "ec2.amazonaws.com" ]
},
"Action": [ "sts:AssumeRole" ]
} ]
},
"Path": "/"
}
},
"RolePolicies": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "*",
"Resource": "*"
} ]
},
"Roles": [ { "Ref": "RootRole" } ]
}
},
"RootInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "RootRole" } ]
}
}
}
} YAML
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myLCOne:
Type: AWS::AutoScaling::LaunchConfiguration
Version: '2009-05-15'
Properties:
ImageId: ami-0ff8a91507f77f867
InstanceType: m1.small
InstanceMonitoring: 'true'
IamInstanceProfile:
!Ref RootInstanceProfile
myASGrpOne:
Type: AWS::AutoScaling::AutoScalingGroup
Version: '2009-05-15'
Properties:
AvailabilityZones:
- "us-east-1a"
LaunchConfigurationName:
!Ref myLCOne
MinSize: '0'
MaxSize: '0'
HealthCheckType: EC2
HealthCheckGracePeriod: '120'
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Roles:
- !Ref RootRole
RootInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref RootRole