In this blog post I will examine how partial implementation of a feature of IAM policies: resource-level permissions interacts with AWS EC2 API actions to produce confusing results. Please note that AWS states in its documentation that it is planning on expanding the compatibility of resource-level permissions, so check the links at the bottom of this post for the most up-to-date information.
Below is a short python program (troubleshooting.py) that utilizes the ec2:DescribeVolumes action. As you can see, I have omitted the access/secret key pair. If you wish to use this code, simply insert your access/secret key you obtained from the IAM section of the AWS Console. As I have my IAM user configured, the user this access/secret key pair belongs to is constrained by a single IAM policy. This is significant because it is possible to assign multiple IAM policies to a user, and having multiple policies assigned would change the behavior beyond what is seen in a single IAM policy.
troubleshooting.py
from boto.ec2.connection import EC2Connection
conn = EC2Connection(‘ACCESS_KEY’,’SECRET_KEY’)
print conn.get_all_volumes()
This program will remain unchanged throughout this blog post, the IAM policy will be the only component that we alter. This IAM policy is the only policy applied to the IAM user from which we generated the access/secret key pair. In other words, the user’s access is defined entirely by the listed IAM policy.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1414688041000”,
“Effect”: “Allow”,
“Action”: [
“ec2:DescribeVolumes”
],
“Resource”: [
“*”
]
}
]
}
When I apply the above IAM policy and run troubleshooting.py, the results I am expecting (a list of EC2 volume-ids) are returned. I also confirm in CloudTrail that the API call was received and returned without error. I will omit the CloudTrail logs here for brevity’s sake.
I desire to narrow the scope of the resources this access/secret key pair can access to only EC2 volumes. Why? In short, because I desire to limit each user to only those resources they absolutely need to access. Any future edits to this policy could enable API actions to be taken across the entire AWS account, while this access/secret key pair should never be used for anything other than managing snapshots of EC2 volumes. So I successfully edit the policy to what is below per http://docs.aws.amazon.com/
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1414688041000”,
“Effect”: “Allow”,
“Action”: [
“ec2:DescribeVolumes”
],
“Resource”: [
“arn:aws:ec2:us-east-1:AWS_ACCOUNT_ID:volume/*”
]
}
]
}
Upon applying this change to the IAM policy and running troubleshooting.py, I receive the following response error:
<Response><Errors><Error><
Even more confusing, when I use the IAM policy simulator to call DescribeVolumes on a volume within my user account (within the simulator I specify an ARN for a volume which was part of the list of volumes when we ran troubleshooting.py successfully), the simulator reports that DescribeVolumes action is allowed under the policy which we just saw an UnauthroizedOperation error.
We find the answer within the AWS docs, under http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#unauthorized-operation:
Currently, not all API actions support resource-level permissions; we’ll add support for more in 2014. For more information about which ARNs you can use with which Amazon EC2 API actions, see Granting IAM Users Required Permissions for Amazon EC2 Resources in the Amazon EC2 API Reference.
We confirmed this with Amazon: for any EC2 API action that is listed either here or here, resource-level permissions are supported. Otherwise, the ARN must be “*”.