IAM for an S3 Bucket

Disclaimer: This is for a weekend project, not an enterprise organization. You'll see use of * here in IAM policies. As Chief Executive Officer of my stupid weekend project, I have been briefed by our Chief Information Officer of this stupid weekend project (also me) and I (as CEO) have accepted the associated risks. I (as CIO) do not approve, but I remain committed to support stupid weekend project in any way I can, until our Chief Technology Officer (also me) is able to assign someone (let's face it - me) to build thoughtful people-centric security IAM policies for stupid weekend project.

I created the basic IAM group I need with setup.iam.s3site.yml:

This Ansible playbook applies the policy in iam_edit_s3.j2:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListAllMyBuckets"],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
            "Resource": ["arn:aws:s3:::www."]
        },
        {
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": ["arn:aws:s3:::www./*"]
        }
    ]
}

Note that, as usual, this playbook must be run with the s3bucket variable set.

ansible-playbook -e "s3bucket=edthe.dev" setup.iam.s3site.yml

I also find that any user who needs to edit an S3 bucket is going to want to use a piece of editing software, which should typically use an access key. Rather than assign an access key, I grant permissions to users to manage their own in setup.iam.accesskeys.yml:

# 
---
- name: Set up IAM user groups
  hosts: localhost
  connection: local
  gather_facts: no

  tasks:
  - name: group allowed to manage own access keys
    community.aws.iam_group:
      name: 'self_manage_acces_keys'
      state: present
      purge_policies: yes # We are about to add the only desired policy
  - name: apply policy
    community.aws.iam_policy:
      iam_name: 'self_manage_acces_keys'
      iam_type: group
      policy_name: 'policy-manage-access-keys'
      state: present
      policy_document: '../files/iam.allow.accesskeys.json'
# 

This playbook applies the policy in iam.allow.accesskeys.json.

{
    "Version": "2012-10-17",
    "Statement": [
			  {
            "Sid": "CreateOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:GetUser",
                "iam:ListAccessKeys"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "ManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

ansible-playbook setup.iam.accesskeys.yml

Note: For once we don't need a bucket name, as this creates an independant role I assign to AWS Console IAM users to allow them to manage their own Access Keys.

Once these are run, I manually assign the new self_manage_access_keys and edit_edthe.dev groups to my S3 bucket editors in AWS IAM.