Oliver Nassar

I can be reached at onassar@gmail.com.

For my open source work, check out github.com/onassar

Generating a Custom Policy for AWS IAM

View more posts

In trying to very-slowly move over to AWS, DNS is one of the steps I wanted to take my time with. I understood that AWS added a service entitled Route53 to manage your DNS with, but I was reluctant to move over to it fully, as it wasn't accessible via their web-console.

Looking for alternatives, I found quite a few services that offered a GUI for managing DNS zones. One such is entitled Interstate53. While I know nothing about the service yet, it brought up a second issue: giving access to a third-party service using the AWS IAM service.

The IAM service allows you to manage permissions of groups and users with respect to almost any AWS service. For example, giving a user access to only your RDS services, or EC2 instances. In my case, I wanted to grant access to the Route53 service alone. This lead me down a pretty complicated flow, which works as follows:

  1. Head over to your console and the IAM tab
  2. Create a new group of users (I called my group 3rd-parties)
  3. You'll be prompted to then choose a policy that applies to this group (eg. can administer everything, only CloudFront, etc.)
  4. In my case, a Policy Template wasn't listed (eg. Route53 management), so I had to choose the Custom Policy option
  5. Give your policy a name (eg. Route53-full-access)
  6. You're then given a textarea to paste your policy into; from here you open a new tab pointing to: http://awspolicygen.s3.amazonaws.com/policygen.html
  7. This is a wizard that will generate a policy for you based on what you enter
  8. In my case, I'm creating one for Route53, so I entered the following options:

    Select Type of Policy: IAM Policy
    Effect: Show
    AWS Service: Amazon Route 53
    Actions: All Actions(*)
    Amazon Resource Name (ARN): *
  9. Hitting Add Statement and then Generate Policy presents you with your policy code to paste into the previous tab; do so
  10. You'll now be given the option to create users (or choose from existing users)
  11. Each new user you create will (if you leave the associated checkbox checked) generate an access key
  12. Using the Access Key Id and Secret Access Key (shown after finishing this flow) in a 3rd-party service (eg. Interstate53) will allow them to manage the service for you, but nothing else.

The flow was a little complex for me at first, but after having gone through it, the moving pieces make quite a bit of sense. The policy generator is pretty interesting as well, since you can make it as complicated or as simple as you want (eg. can manage certain buckets, your DNS routing and your CloudFront service). Also, the policy is a JSON document :)

There ya have it. Hope that helps someone at some point (ummm, me in 3 months after I've forgotten this all).