How can I restrict the IAM permissions of an Elastic Beanstalk user to specific applications?

3 minute read
0

I want to restrict the AWS Identity and Access Management (IAM) permissions of an AWS Elastic Beanstalk user to specific applications.

Short description

Use an IAM policy to restrict the permissions of an Elastic Beanstalk user. An Elastic Beanstalk user can be an IAM user or role. The policy can restrict access to a specific application or applications.

Resolution

1.    Create an IAM policy that restricts access to your Elastic Beanstalk application. Use the following IAM policy as an example template.

2.    Attach your IAM policy to the IAM user or role that you want to restrict access to a specific application or applications only.

If you use a service that integrates with Elastic Beanstalk, such as Amazon Simple Storage Service (Amazon S3), then allow greater access with minimal restrictions. This is because of the following reasons:

  • In Elastic Beanstalk, you can't directly restrict permissions to your application because the application structure is a collection of components. These components are things such as environments, versions, and environment configurations. However, you can restrict permissions more precisely using actions, resources, and condition keys. For a list of available condition keys that you can use to grant conditional access according to your use case, see Resources and conditions for Elastic Beanstalk actions.
  • An IAM policy isn't an effective way to secure underlying resources. For example, you can restrict how users interact with Elastic Beanstalk APIs using the appropriate IAM policy. However, you can't prevent users with Elastic Beanstalk permissions from creating resources in other AWS services that are unrelated to Elastic Beanstalk.
  • Some of the resources that Elastic Beanstalk integrates with don't support resource-level permissions. For more information, see AWS services that work with IAM.

The following example policy is designed to grant full access to two Elastic Beanstalk applications, App1 and App2:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:UpdateApplicationVersion",
        "elasticbeanstalk:CreateApplicationVersion",
        "elasticbeanstalk:DeleteApplicationVersion"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1",
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:DescribeAccountAttributes",
        "elasticbeanstalk:AbortEnvironmentUpdate",
        "elasticbeanstalk:TerminateEnvironment",
        "rds:*",
        "elasticbeanstalk:ValidateConfigurationSettings",
        "elasticbeanstalk:CheckDNSAvailability",
        "autoscaling:*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RebuildEnvironment",
        "elasticbeanstalk:DescribeInstancesHealth",
        "elasticbeanstalk:DescribeEnvironmentHealth",
        "sns:*",
        "elasticbeanstalk:RestartAppServer",
        "s3:*",
        "cloudformation:*",
        "elasticloadbalancing:*",
        "elasticbeanstalk:CreateStorageLocation",
        "elasticbeanstalk:DescribeEnvironmentManagedActions",
        "elasticbeanstalk:SwapEnvironmentCNAMEs",
        "elasticbeanstalk:DescribeConfigurationOptions",
        "elasticbeanstalk:ApplyEnvironmentManagedAction",
        "cloudwatch:*",
        "elasticbeanstalk:CreateEnvironment",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:DeleteEnvironmentConfiguration",
        "elasticbeanstalk:UpdateEnvironment",
        "ec2:*",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticbeanstalk:DescribeConfigurationSettings",
        "sqs:*",
        "dynamodb:CreateTable",
        "dynamodb:DescribeTable"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:*"
      ],
      "Resource": [
        "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role",
        "arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role",
        "arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:DescribeEvents",
        "elasticbeanstalk:DescribeApplications",
        "elasticbeanstalk:AddTags",
        "elasticbeanstalk:ListPlatformVersions"
      ],
      "Resource": [
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1",
        "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:AddTags",
        "elasticbeanstalk:Describe*"
      ],
      "Resource": [
        "arn:aws:elasticbeanstalk:*::platform/*",
        "arn:aws:elasticbeanstalk:*:*:environment/*/*",
        "arn:aws:elasticbeanstalk:*:*:application/*",
        "arn:aws:elasticbeanstalk:*::solutionstack/*",
        "arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
        "arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
      ],
      "Condition": {
        "StringEquals": {
          "elasticbeanstalk:InApplication": [
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App1",
            "arn:aws:elasticbeanstalk:us-east-2:123456789012:application/My App2"
          ]
        }
      }
    }
  ]
}

For more use cases and examples, see Example policies based on resource permissions or Example policies based on managed policies.


AWS OFFICIAL
AWS OFFICIALUpdated 4 years ago