Feb 062015
 

A bucket policy that will deny access to anyone not coming from the specified IP addresses. Used in combination with IAM groups that allow access to S3, the net result will be that users will be allowed the access given to the group they belong to, but only if they are coming from one of the IP address specified in this policy, which is going to be attached to the bucket. Using an “Allow” policy, like in Amazon’s example, would allow anyone coming from those IPs full access, effectively defeating the purpose of group-based policies.
Continue reading »

Feb 062015
 

AWS permissions intended for a group containing users that will monitor the environment, but should not have access to data and are not allowed to make any changes. Should allow members to check the health of services or run periodic reviews. Basically a modified version of Amazon’s Read-Only policy template. In order to cut access to potentially dangerous information, some access was removed:

    • DynamoDB and Kinesis:Get* because those would reveal data
      ElasticBeanstalk and Opsworks because the information there is potentially dangerous
      S3 objects, but it does give permissions to access S3 bucket policy
  • Continue reading »