Help us understand the problem. What is going on with this article?

[JAWS-UG CLI] IAM Managed Policy:#17-2 AWS Managed Policyの利用

More than 5 years have passed since last update.

前提条件

1. AWS Managed Policyのアタッチ

AWS Managed Policyとは、AWSが標準で用意しているManaged Policyです。
ユーザによって変更したり削除する事はできません。

1.1. AWS Managed Policyの確認

全てのAWS Managed Policyを表示します。
(デフォルトの表示数は100が上限です。)

command
aws iam list-policies --scope "AWS" --max-items 1000
result
{
    "Marker": "AA*********************************************************************************************************",
    "IsTruncated": true,
    "Policies": [
        {
            "PolicyName": "AdministratorAccess",
            "CreateDate": "2015-02-06T18:39:46Z",
            "AttachmentCount": 2,
            "IsAttachable": true,
            "PolicyId": "ANPAIWMBCKSKIEE64ZLYK",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
            "UpdateDate": "2015-02-06T18:39:46Z"
        },

        (中略)

        {
            "PolicyName": "AmazonS3FullAccess",
            "CreateDate": "2015-02-06T18:40:58Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAIFIR6V6BVTRAHWINE",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/AmazonS3FullAccess",
            "UpdateDate": "2015-02-06T18:40:58Z"
        },
        {
            "PolicyName": "AmazonS3ReadOnlyAccess",
            "CreateDate": "2015-02-06T18:40:59Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAIZTJ4DXE7G6AGAE6M",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
            "UpdateDate": "2015-02-06T18:40:59Z"
        },

        (中略)

        {
            "PolicyName": "CloudWatchFullAccess",
            "CreateDate": "2015-02-06T18:40:00Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAIKEABORKUXN6DEAZU",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/CloudWatchFullAccess",
            "UpdateDate": "2015-02-06T18:40:00Z"
        },
        {
            "PolicyName": "CloudWatchLogsFullAccess",
            "CreateDate": "2015-02-06T18:40:02Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAJ3ZGNWK2R5HW5BQFO",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
            "UpdateDate": "2015-02-06T18:40:02Z"
        },
        {
            "PolicyName": "CloudWatchLogsReadOnlyAccess",
            "CreateDate": "2015-02-06T18:40:03Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAJ2YIYDYSNNEHK3VKW",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess",
            "UpdateDate": "2015-02-06T18:40:03Z"
        },
        {
            "PolicyName": "CloudWatchReadOnlyAccess",
            "CreateDate": "2015-02-06T18:40:01Z",
            "AttachmentCount": 0,
            "IsAttachable": true,
            "PolicyId": "ANPAJN23PDQP7SZQAE3QE",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
            "UpdateDate": "2015-02-06T18:40:01Z"
        }
    ]
}

この中から、S3へFullAccessが可能になるManaged Policyを選択します。

commnad
SELECTED_AWS_MANAGED_POLICY='AmazonS3FullAccess'

ARNを確認します。

command
SELECTED_AWS_MANAGED_POLICY_ARN=`aws iam list-policies --scope "AWS" | jq -r --arg selected_aws_managed_policy ${SELECTED_AWS_MANAGED_POLICY} '.Policies | .[] | select( .PolicyName == $selected_aws_managed_policy ) | .Arn'`
echo ${SELECTED_AWS_MANAGED_POLICY_ARN}
result
arn:aws:iam::aws:policy/AmazonS3FullAccess

1.2. AWS Managed PolicyをIAM Groupにアタッチ

変数の確認

command
cat << ETX
        IAM_GROUP_NAME: ${IAM_GROUP_NAME}
        SELECTED_AWS_MANAGED_POLICY_ARN: ${SELECTED_AWS_MANAGED_POLICY_ARN}
ETX
result
        IAM_GROUP_NAME: IAM_full
        SELECTED_AWS_MANAGED_POLICY_ARN: arn:aws:iam::aws:policy/AmazonS3FullAccess

AWS Managed PolicyをIAMグループに割り当てます。

commnad
aws iam attach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${SELECTED_AWS_MANAGED_POLICY_ARN}
result
(戻り値無し)

IAMグループにAWS Managed Policyがアタッチされたことを確認します。

commnad
aws iam list-attached-group-policies --group-name ${IAM_GROUP_NAME}
result
{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonS3FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3FullAccess"
        }
    ],
    "IsTruncated": false
}

Inline PolicyでAttachすることを許可していないAWS Managed PolicyをIAMグループに割り当て、失敗することを確認します。

commnad
aws iam attach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
result
A client error (AccessDenied) occurred when calling the AttachGroupPolicy operation: User: arn:aws:iam::************:user/IAM_limited-JAWSUG_CLI_17-Coedo is not authorized to perform: iam:AttachGroupPolicy on resource: group IAM_limited

2. 動作確認

2.1. 動作確認用のBucketを作成

リージョンの決定

command
export AWS_DEFAULT_REGION='ap-northeast-1'

バケット名の決定
(バケット名は、グローバルでユニークである必要があります。他の方と重複しないように修正を行ってください。)

command
S3_BUCKET_NAME="jaws-ug-cli-17-handson" \
        && echo ${S3_BUCKET_NAME}
result
jaws-ug-cli-17-handson

同名バケットの不存在を確認

command
aws s3 ls s3://${S3_BUCKET_NAME}/
result
A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist

バケットの作成

command
aws s3 mb s3://${S3_BUCKET_NAME}
result
make_bucket: s3://jaws-ug-cli-17-handson/

バケットが作成されたことを確認

command
aws s3 ls s3://${S3_BUCKET_NAME}/
result
(戻り値なし)

2.2. ファイルをアップロード

アップロードするファイル名を決定

command
FILE_LOCAL='test01.txt'
result
(戻り値なし)

アップロードするファイルを作成

command
touch ${FILE_LOCAL}
result
(戻り値なし)

ファイルをアップロード

command
aws s3 cp ${FILE_LOCAL} s3://${S3_BUCKET_NAME}/
result
upload: ./test01.txt to s3://jaws-ug-cli-17-handson/test01.txt

ファイルがアップロードされたことを確認

command
aws s3 ls s3://${S3_BUCKET_NAME}/
result
2015-04-04 11:47:23          0 test01.txt

3. AWS Managed Policyのデタッチ

3.1. AWS Managed PolicyをIAM Groupからデタッチ

変数の確認

command
cat << ETX
        IAM_GROUP_NAME: ${IAM_GROUP_NAME}
        SELECTED_AWS_MANAGED_POLICY_ARN: ${SELECTED_AWS_MANAGED_POLICY_ARN}
ETX
result
        IAM_GROUP_NAME: IAM_limited
        SELECTED_AWS_MANAGED_POLICY_ARN: arn:aws:iam::aws:policy/AmazonS3FullAccess

AWS Managed Policyを割り当てます。

commnad
aws iam detach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${SELECTED_AWS_MANAGED_POLICY_ARN}
result
(戻り値無し)

IAMグループからAWS Managed Policyがデタッチされていることを確認します。

commnad
aws iam list-attached-group-policies --group-name ${IAM_GROUP_NAME}
result
{
    "AttachedPolicies": [],
    "IsTruncated": false
}
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away