Useful AWS IAM policies

Policy to prevent deletion of S3 bucket or its objects.

Add below code snippet to S3 bucket resource policy. (You have to disable the ‘Block all public access‘ setting as well)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "prevent-deletion",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Access to AWS resources from certain IP only (including console).

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "WhiteListIP",
			"Effect": "Deny",
			"Action": "*",
			"Resource": "*",
			"Condition": {
				"NotIpAddress": {
					"aws:SourceIP": [
						"ALLOWED_IP"
					]
				}
			}
		}
	]
}

Policy to prevent deletion of EC2 instances which are tagged ‘production’

Add the tag ‘production’ with value ‘true’ for the EC2 servers which needs to be protected. Attach the policy to the user group.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "DenyEc2Deletion",
			"Effect": "Deny",
			"Action": [
				"ec2:TerminateInstances",
				"ec2:DeleteTags",
				"ec2:CreateTags"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
				"aws:ResourceTag/production": "true"
				}
			}
		}
	]
}

Grant read access to your AWS account resources, for a user in another AWS account.

Let your AWS account number be ‘1111-1111-1111’ and user is in another AWS account ‘2222-2222-2222’. In your account, create a role with below trust relation and to this role, attach the AWS managed policy ‘ReadOnlyAccess’.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::2222222222222:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

In the AWS account ‘2222-2222-2222’, add below policy for the user ‘user1’.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeRolePolicyStmt",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111111111111:role/read_only_account"
        }
    ]
}

Thats all!!

Allow creation of certain types of EC2 only.

Following policy denies creation of any EC2 type other than nano, micro and small.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "RestrictEC2InstanceTypes",
			"Effect": "Deny",
			"Action": "ec2:RunInstances",
			"Resource": "*",
			"Condition": {
				"ForAnyValue:StringNotLike": {
					"ec2:InstanceType": [
						"*.nano",
						"*.micro",
						"*.small"
					]
				}
			}
		}
	]
}

Policy to prevent deletion / modification /rebooting / stopping of RDS instance from AWS.

Tag the RDS DB instance with ‘production’ = true.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "PreventRDSDeletion",
			"Effect": "Deny",
			"Action": [
				"rds:ModifyDBSnapshot",
				"rds:RebootDBInstance",
				"rds:ModifyDBInstance",
				"rds:DeleteDBSnapshot",
				"rds:DeleteDBInstance",
				"rds:RemoveTagsFromResource",
				"rds:AddTagsToResource",
				"rds:StopDBInstance"
			],
			"Resource": "*",
			"Condition": {
		 	   "ForAnyValue:StringEquals": {
			     "aws:ResourceTag/production": "true"
			   }
			}
		}
	]
}