1 00:00:06,586 --> 00:00:08,552 - So now let's take a look at an example 2 00:00:08,552 --> 00:00:09,753 of how we would go about creating 3 00:00:09,753 --> 00:00:11,670 and attaching policies. 4 00:00:13,680 --> 00:00:16,121 So you can see I'm already logged into the console. 5 00:00:16,121 --> 00:00:20,288 I'm on the identity and access management dashboard. 6 00:00:21,126 --> 00:00:24,106 And from here, I'm gonna go over to policies. 7 00:00:24,106 --> 00:00:26,854 You can see, as we've talked about policies, 8 00:00:26,854 --> 00:00:31,111 can be, managed policies can be, first class objects. 9 00:00:31,111 --> 00:00:34,015 And we can of course, filter by either 10 00:00:34,015 --> 00:00:38,317 amazon manage policies or customer managed policies. 11 00:00:38,317 --> 00:00:40,608 So I'm gonna go ahead and filter by customer managed, 12 00:00:40,608 --> 00:00:43,184 and you can see that I've got a few policies 13 00:00:43,184 --> 00:00:45,399 that I've created over the years 14 00:00:45,399 --> 00:00:47,767 for doing personal things. 15 00:00:47,767 --> 00:00:49,826 But I want to go ahead, for the sake of this demo, 16 00:00:49,826 --> 00:00:51,551 create one. 17 00:00:51,551 --> 00:00:53,572 So I'm gonna create a policy, 18 00:00:53,572 --> 00:00:56,543 and from here, I have a number of options. 19 00:00:56,543 --> 00:00:59,958 I can either copy one from an amazon policy 20 00:00:59,958 --> 00:01:01,808 and then edit it to my liking. 21 00:01:01,808 --> 00:01:04,345 I could use the policy generator, 22 00:01:04,345 --> 00:01:07,702 or I could, using this last option, 23 00:01:07,702 --> 00:01:10,631 I could just copy and paste and write it out in JSON. 24 00:01:10,631 --> 00:01:12,320 I typically don't like to do that, 25 00:01:12,320 --> 00:01:14,685 just because there's a lot of room for error 26 00:01:14,685 --> 00:01:17,262 in a JSON document, it has to be valid. 27 00:01:17,262 --> 00:01:19,700 So I generally like to use the generator, 28 00:01:19,700 --> 00:01:21,517 that way I know that it's going 29 00:01:21,517 --> 00:01:24,575 to create the appropriate syntax. 30 00:01:24,575 --> 00:01:28,703 So for here I'm gonna select the policy generator. 31 00:01:28,703 --> 00:01:31,870 And, for this policy, I want to allow, 32 00:01:33,478 --> 00:01:37,395 and I'm going to say that I want my developers, 33 00:01:38,602 --> 00:01:41,916 let's say we want to attach this to our developers, 34 00:01:41,916 --> 00:01:44,249 I'm going to allow them EC2, 35 00:01:46,706 --> 00:01:48,873 and I'm going to say that, 36 00:01:50,298 --> 00:01:52,354 I have the option to say all actions but 37 00:01:52,354 --> 00:01:55,112 here maybe I only want them to be 38 00:01:55,112 --> 00:01:59,018 able to launch certain EC2 instances. 39 00:01:59,018 --> 00:02:00,498 Create virtual machines. 40 00:02:00,498 --> 00:02:02,809 You can see here there are a lot of things 41 00:02:02,809 --> 00:02:07,370 that we could give them access to within EC2. 42 00:02:07,370 --> 00:02:10,202 But I don't want them to have access to all of it, 43 00:02:10,202 --> 00:02:14,369 I want them to have access to maybe tagging resources, 44 00:02:15,249 --> 00:02:18,500 I want them to be able to create disk volumes, 45 00:02:18,500 --> 00:02:21,314 as we'll talk about later. 46 00:02:21,314 --> 00:02:23,608 I want them to be able to, 47 00:02:23,608 --> 00:02:26,528 let me scroll all the way to the bottom here, 48 00:02:26,528 --> 00:02:30,307 I want them to be able to launch virtual machines. 49 00:02:30,307 --> 00:02:34,667 Which is this particular action, run instances. 50 00:02:34,667 --> 00:02:39,187 I don't want them to be able to terminate instances though. 51 00:02:39,187 --> 00:02:41,076 That's a dangerous operation, 52 00:02:41,076 --> 00:02:43,177 I want to keep this particular group of people 53 00:02:43,177 --> 00:02:44,667 from being able to do that. 54 00:02:44,667 --> 00:02:47,276 So I'm gonna make sure that I leave that one unchecked. 55 00:02:47,276 --> 00:02:49,236 So again, this is least privilege. 56 00:02:49,236 --> 00:02:52,233 I'm giving them just enough to do their job. 57 00:02:52,233 --> 00:02:56,400 And here, the ARN, because I'm choosing specific service 58 00:02:57,468 --> 00:03:00,134 and actions, I can just say star. 59 00:03:00,134 --> 00:03:03,069 In this particular case, I can just say you know what, 60 00:03:03,069 --> 00:03:05,225 you can do these on, across everything, 61 00:03:05,225 --> 00:03:07,476 across all resources, and of course, 62 00:03:07,476 --> 00:03:10,298 because they are prefix with EC2, 63 00:03:10,298 --> 00:03:14,203 they would only apply to EC2 resources anyway. 64 00:03:14,203 --> 00:03:17,227 So now, when I click the next step, 65 00:03:17,227 --> 00:03:21,394 you can see here that I have the policy that's been created, 66 00:03:24,196 --> 00:03:26,859 I have a series, only one statement, 67 00:03:26,859 --> 00:03:30,314 that says they're allowed to do these three actions 68 00:03:30,314 --> 00:03:31,647 on any resource. 69 00:03:32,907 --> 00:03:35,533 I'm gonna go ahead and name this something else, 70 00:03:35,533 --> 00:03:39,366 I'm gonna call this EC2 access for developers. 71 00:03:41,644 --> 00:03:44,260 And again that's arbitrary, that's up to you, 72 00:03:44,260 --> 00:03:45,733 whatever you want to name it, 73 00:03:45,733 --> 00:03:48,916 whatever makes sense for your particular business. 74 00:03:48,916 --> 00:03:51,111 I'm gonna create the policy, 75 00:03:51,111 --> 00:03:53,299 and of course, I can filter it, 76 00:03:53,299 --> 00:03:55,354 if I want to go back and find it I can say, 77 00:03:55,354 --> 00:03:57,763 filter my customer managed policies. 78 00:03:57,763 --> 00:04:00,701 And here we go, here is that particular policy. 79 00:04:00,701 --> 00:04:04,172 You can see, we could edit that if we wanted to. 80 00:04:04,172 --> 00:04:08,903 We could see that it's not attached to anything. 81 00:04:08,903 --> 00:04:13,255 So let's go back to the group that we created earlier. 82 00:04:13,255 --> 00:04:15,381 Earlier, we created a group 83 00:04:15,381 --> 00:04:18,381 and we gave that group EC2 full access. 84 00:04:18,381 --> 00:04:20,676 An AWS managed policy, 85 00:04:20,676 --> 00:04:24,780 but that particular policy grants far too many permissions, 86 00:04:24,780 --> 00:04:26,986 I don't want our developers, ultimately, 87 00:04:26,986 --> 00:04:28,519 to have that many permissions. 88 00:04:28,519 --> 00:04:31,595 I want to again, grant least privilege. 89 00:04:31,595 --> 00:04:34,512 So I'm going to detach that policy, 90 00:04:35,914 --> 00:04:39,042 and I want to attach the policy that we just created. 91 00:04:39,042 --> 00:04:42,891 So I'm going to filter by customer manage policy, 92 00:04:42,891 --> 00:04:45,643 I'm going to find, here's my EC2 access for developers 93 00:04:45,643 --> 00:04:47,156 that I want. 94 00:04:47,156 --> 00:04:49,756 I'm going to click that, and attach. 95 00:04:49,756 --> 00:04:52,403 And now, if I hit show policy, 96 00:04:52,403 --> 00:04:56,252 you can see that my developers group is allowed 97 00:04:56,252 --> 00:05:00,252 to create tags on EC2 resources, create volumes, 98 00:05:01,293 --> 00:05:03,376 and launch EC2 instances. 99 00:05:05,736 --> 00:05:09,903 And that's that, for creating and attaching policies.