Forum Discussion

CalumS's avatar
CalumS
Icon for Bronze II rankBronze II
2 months ago

IAM: Demonstrate Your Skills - Developer access (2/3)

Developer access (2/3)
I have completed the developer access question 1 with the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::147026630027:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "lambda.amazonaws.com"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "lambda:*",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": "lambda:*",
            "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner"
        }
    ]
}

Currently stuck on the Developer access 2 question:
Update the developers-lambda policy, with the following additional permissions:

  • Ensure the policy allows CreatePolicy, CreateRole, GetRole, GetPolicy, GetPolicyVersion, ListRoles, ListPolicies, ListRolePolicies, and ListAttachedRolePolicies actions for all resources.
  • Ensure the policy allows role policy attachment to all resources, but only when the developers-s3 arn:aws:iam::147026630027:policy/developers-s3 policy is present as a permissions boundary. This essentially restricts the maximum permissions of any developer-created role. Leave any condition qualifiers as default and ArnEquals as the condition.

I have this code but is not working:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::147026630027:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "lambda.amazonaws.com"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:*",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListRoles",
                "iam:ListPolicies",
                "iam:ListRolePolicies"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::147026630027:policy/developers-s3"
                }
            }
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Deny",
            "Action": "lambda:*",
            "Resource": "arn:aws:lambda:us-east-1:147026630027:function:virus-scanner"
        }
    ]
}

Any help would be great full. Thanks

cloud security
  • netcat's avatar
    netcat
    2 months ago

    Implement the 2nd bullet point first, then implement the 1st bullet point.

  • netcat's avatar
    netcat
    Icon for Bronze III rankBronze III
    2 months ago

    Implement the 2nd bullet point first, then implement the 1st bullet point.

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager
    26 days ago

    Hi CalumS 

    Did the response from netcat help?

    If you found a reply useful, please don't forget to mark it as a Solution ✅

    Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.