-
Notifications
You must be signed in to change notification settings - Fork 24
iam 3.4 cluster policies
This document contains requirements and specification for IAM policy updates allowing restriction of images to availability zones. This feature is under consideration for inclusion in the 3.4 release.
| Status | Draft | |
|---|---|---|
| Updated | 2013/08/28 | Initial document |
| Updated | 2013/08/29 | Listed ARN conditions, added more use cases. |
- Policy allows restricting specified images to specified availability zones when running instances.
- Policy can be specified at the account level and applies to account administrators.
- Propagation of restrictions to images created from an image with a restriction (also snapshots)
- Ability to specify restrictions indirectly using mechanisms such as product codes or resource tags
EC2/IAM added support for EC2 specific condition keys earlier in 2013. This includes the key:
ec2:AvailabilityZone
which at first appears useful for restricting images to certain availability zones. This is not the case as the new conditions allow restriction/filtering against (properties of) existing resources rather than filtering on request properties.
In the case of running an instance without specification of an availability zone it is important that the policy mechanism supports selection of an availability zone suitable for the image being launched. This implies that any new condition must restrict/filter availability zones.
We will add a new condition key and support for the ARN evaluation type to allow restriction of specified images to specified availability zones.
ARN condition support is required, other items are nice to have.
The actions permitted in an IAM policy will be updated to the 2013-07-15 API version.
The following conditions are used for conditions on ARN values:
- ArnEquals
- ArnNotEquals
- ArnLike
- ArnNotLike
- Null condition
- ..IfExists conditions ( e.g. StringEqualsIfExists, ArnLikeIfExists )
The following EC2 conditions can further restrict users permissions on instances, volumes and security groups:
- ec2:AvailabilityZone
- ec2:InstanceProfile
- ec2:InstanceType
- ec2:ParentSnapshot
- ec2:Region
- ec2:RootDeviceType
- ec2:VolumeSize
- ec2:EbsOptimized
- ec2:PlacementGroup
- ec2:Tenancy
- ec2:VolumeIops
- ec2:VolumeType
- ec2:Vpc
- ec2:ResourceTag/tag-key
IAM/EC2 extensions will be added for this feature.
Currently only quota policies can be attached to accounts, we will extend this to allow statements with a deny effect (see use cases for an example)
The following Eucalyptus specific extension condition key will be added:
- ec2:TargetImage (or ec2:RequestImage?)
This case covers user policy for preventing launch of an image in an availability zone.
- Attach policy to user:
{
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:*",
"Resource":"*"
},
{
"Effect": "Deny",
"Action": [ "ec2:*" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {
"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
}
]
}
- Launch non permitted image as user:
$> euca-run-instances -z PARTI00 emi-239D37F2 euca-run-instances: error (RunInstancesType): Not authorized to use cluster PARTI00
This case covers running an instance of an image that is permitted in some availability zones.
- Attach relevant policy to user.
- Launch of image is successful (availability zone selected)
This case if for running an instance of an image that is not permitted in any availability zone.
- Launch non permitted image:
$> euca-run-instances emi-239D37F2 euca-run-instances: error (RunInstancesType): Not enough resources: no availability zone is available in which you have permissions to run instances.
This case covers account level policy denial.
- Attach policy to account:
{
"Statement": [ {
"Effect": "Deny",
"Action": [ "ec2:RunInstances" ],
"Resource": "arn:aws:ec2:::availabilityzone/PARTI00",
"Condition": {
"ArnLike": {
"ec2:TargetImage": "arn:aws:ec2:*:*:image/emi-239D37F2"
}
}
} ]
}
- Verify administrator in account is not able to run image.
This case covers restriction of instance termination to a specified availability zone.
- Attach policy to user
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [ "ec2:TerminateInstances" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:AvailabilityZone": "PARTI00"
}
}
}]
}
- User can only terminate instances in specified availability zone
AWS allows the region condition key to be used in any EC2 action. This case covers use of the condition outside of the expected (instance, security group and volume) actions.
- Attach policy to user
{
"Statement":[
{
"Effect": "Allow",
"Action": [ "ec2:*" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "eucalyptus"
}
}
}
]
}
- Create and describe a key pair as the user.
This case ensures that the ..IfExists versions of all conditions are recognized.
- Upload a policy containing ..IfExists versions of each supported condition (other than the Null condition)
- Policy uploads successfully (conditions are recognized)
In this case the condition is only evaluated if the key is present. For run/describe operations the key is null.
- Upload policy with check against null condition key:
{
"Statement":[
{
"Effect": "Allow",
"Action": [ "ec2:*" ],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ec2:AvailabilityZone": "PARTI00"
}
}
}
]
}
- Ensure instances can be run, described and deleted in the zone.
This use case covers the Null condition and ec2:AvailabilityZone condition key. The key is present for only some actions (see references)
- Add policy for user
{
"Statement":[{
"Action":["ec2:*"],
"Effect":"Allow",
"Resource":["*"],
"Condition":{
"Null":{"ec2:AvailabilityZone":"true"}
}
}
]
}
- Verify that a volume can be created and described but not deleted as the user.
tag:rls-3.4 tag:iam