Administering Account Resources

Describes how to set policies for controlling access.

Entities in an Account (users, groups, and policies) are treated as resources. Buckets are the containers that hold objects.

While specifying a policy document, the create and list operations are performed on a bucket. Hence, they are called bucket operations:

create a user in the bucket sales
list all users in the bucket sales

Other operations that act on a specific user, group, or policy are seen as being performed on a specific object(s). Therefore, they are seen as object operations.

Examples:

user* (all users in an account)
user/john (user john in a specific account)
group* (all groups in an account)
group/sales (group ‘sales’ in a specific account)

While specifying objects under the resource heading in a policy document, objects are specified in two formats:

bucket* (one of the 3 bucket names followed by * to mean all objects in that bucket)
bucket/object (one of the 3 bucket names followed by a slash and the object name, to specify a single object)

Bucket operations can be performed only on a Bucket resource, and Object operations can be performed only on an Object resource.

By default, the account administrator is allowed to perform all operations. The following policy framework applies when the Account Admin wants to allow other users in the account to perform the Admin Operations.

Principals Format

Principals are users or groups that are allowed access to specific operations and are part of a policy under the Principal tag of a JSON document. The format of the principal is as follows:

arn:<domain_name>:<account_name>:user/<username>

User Admin Operations Authorization

Operation	Action	Resource/Values	Sample Statement
add (bucket operation)	admin:CreateUser	"arn:aws:s3:::user"	`"Statement": [{"Effect" : "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok"], "Action" : [ "admin:CreateUser" ], "Resource" : [ "arn : aws : s3 : : : user" ]} ]` meaning: User asok can create users in an account
list (bucket operation)	admin:ListUsers	"arn:aws:s3:::user"	`"Statement": [{"Effect": "Allow", "Principal" : "AWS" : ["arn:primary:default:user:asok" ], "Action":[ "admin:ListUsers" ], "Resource" : [ "arn : aws : s3 : : : user" ]} ]` meaning: User asok can list users in an account
addgroups/removegroups (object operations)	admin:AddUserToGroups admin:RemoveUserFromGroups	"arn:aws:s3:::user*" "arn:aws:s3:::user/<username>"	`"Statement": [{"Effect": "Allow", "Principal" : "AWS" : ["arn:primary:default:user:joe", "arn:primary:default:user:alok" ], "Action": [ "admin:AddUserToGroups" ], "Resource" : [ "arn : aws : s3 : : : user" ]} ]` Meaning: Users asok* and joe can add groups to all users. `"Statement": [{"Effect": "Allow", "Principal": "AWS" : [ "arn:primary:default:user:asok" ], "Action": [ "admin:RemoveUserFromGroups"], "Resource" : [ "arn : aws : s3 : : : user/joe" ]} ]` Meaning: User asok can remove groups only for user joe.
disable/enable (object operations)	admin:DisableUser admin:EnableUser	"arn:aws:s3:::user*" "arn:aws:s3:::user/<username>"	`"Statement" : [{"Effect": "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok","arn:primary:default:user:joe" ], "Action" : [ "admin:DisableUser" ], "Resource" : [ "arn : aws : s3 : : : user" ]} ]` Meaning: Users asok* and joe can disable all users. `"Statement": [{"Effect" : "Allow", "Principal" : "AWS" : [ "asok" ], "Action" : [ "admin:EnableUser" ], "Resource" : [ "arn : aws : s3 : : : user/joe" ]} ]` Meaning: User asok can enable only user joe.
remove info (object operations)	admin:RemoveUser admin:GetUserInfo	"arn:aws:s3:::user*" "arn:aws:s3:::user/<username>"	`"Statement": [{"Effect" : "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok","arn:primary:default:user:joe" ], "Action" : [ "admin:GetUserInfo" ],"Resource" : [ "arn : aws : s3 : : : user" ]} ]` Meaning: Users asok* and joe can fetch (display) information about all users. `"Statement": [{"Effect" : "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok" ], "Action" : [ "admin:RemoveUser" ], "Resource" : [ "arn : aws : s3 : : : user/joe" ]} ]` Meaning: User asok can remove only user joe.

Group Admin Operations Authorization

Operation Action Resource/Values Sample Statement

add (bucket operation)

admin:CreateGroup

"arn : aws : s3 : : : group"

Operation	Action	Resource/Values	Sample Statement
add (bucket operation)	admin:CreateGroup	"arn : aws : s3 : : : group"	`"Statement": [ {"Effect" : "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok"], "Action" : [ "admin:CreateGroup" ], "Resource" : [ "arn : aws : s3 : : : group" ]} ]` meaning: User asok can create groups in an account.
list (bucket operation)	admin:ListGroups	"arn : aws : s3 : : : group"	`"Statement": [ {"Effect": "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok"], "Action" : [ "admin:ListGroups" ], "Resource" : [ "arn : aws : s3 : : : group" ]} ]` meaning: User asok can list groups in an account.
remove info (object operations)	admin:RemoveGroup admin:GetGroupInfo	"arn : aws : s3 : : : group*" "arn : aws : s3 : : : group/<groupname> "	`"Statement": [ {"Effect" : "Allow", "Principal" : "AWS" : [ "arn:primary:default:user:asok"], "Action" : [ "admin:RemoveGroup" ], "Resource" : [ "arn : aws : s3 : : : group/sales" ]} ]` meaning: User asok can remove group sales in an account. `"Statement": [ {"Effect" : "Allow", "Principal" : "AWS" : ["arn:primary:default:user:sharad" ], "Action" : [ "admin:RemoveGroup" ], "Resource" : [ "arn : aws : s3 : : : group"]} ]` meaning: User sharad* can remove any group in an account.

"Statement": [
{"Effect" : "Allow",
"Principal" : "AWS" : [ "arn:primary:default:user:asok"],
"Action" : [ "admin:CreateGroup" ],
"Resource" : [ "arn : aws : s3 : : : group" ]} ]

meaning: User asok can create groups in an account.

list (bucket operation)

admin:ListGroups

"arn : aws : s3 : : : group"

"Statement": [
{"Effect": "Allow",
"Principal" : "AWS" : [ "arn:primary:default:user:asok"],
"Action" : [ "admin:ListGroups" ],
"Resource" : [ "arn : aws : s3 : : : group" ]} ]

meaning: User asok can list groups in an account.

remove info (object operations)

admin:RemoveGroup

admin:GetGroupInfo

"arn : aws : s3 : : : group*"
"arn : aws : s3 : : : group/<groupname> "

"Statement": [
{"Effect" : "Allow",
"Principal" : "AWS" : [ "arn:primary:default:user:asok"],
"Action" : [ "admin:RemoveGroup" ],
"Resource" : [ "arn : aws : s3 : : : group/sales" ]} ]

meaning: User asok can remove group sales in an account.

"Statement": [
{"Effect" : "Allow",
"Principal" : "AWS" : ["arn:primary:default:user:sharad" ],
"Action" : [ "admin:RemoveGroup" ],
"Resource" : [ "arn : aws : s3 : : : group*"]} ]

meaning: User sharad can remove any group in an account.

Policy Admin Operations Authorization

Operation Action Resource/Values Sample Statement

add, update, list, remove info (bucket operation)

Operation	Action	Resource/Values	Sample Statement
add, update, list, remove info (bucket operation)	admin:CreatePolicy admin:ListPolicies admin:RemovePolicy admin:GetPolicyInfo	"arn : aws : s3 : : :policy"	`"Statement": [ {"Effect":"Allow", "Principal": {"AWS" : [ "arn:primary:default:user:joe" ]}, "Action" : [ "admin:GetPolicyInfo", "admin:ListPolicies" ], "Resource" : [ "arn:aws:s3:::policy" ]} ]` meaning: user joe can read all policies and list all policies in the account. We are not trying to secure each policy separately. A user can operate on all policies or none.
set, unset (object operations)	admin:AttachPolicy admin:DetachPolicy	"arn : aws : s3 : : : user" "arn : aws : s3 : : : user/<username>" "arn : aws : s3 : : : group" "arn : aws : s3 : : : group/<groupname>"	`"Statement": [ {"Effect":"Allow", "Principal": {"AWS" : [ "arn:primary:default:user:joe" ]}, "Action" : [ "admin:AttachPolicy", "admin:DetachPolicy" ], "Resource" : [ "arn:aws:s3:::user" ]} ]` meaning: user joe* can attach and detach policies from all users. Here user is the resource that needs to be guarded, and hence the resource value will have user as the resource type.

admin:CreatePolicy

admin:ListPolicies

admin:RemovePolicy

admin:GetPolicyInfo

"arn : aws : s3 : : :policy"

"Statement": [ 
{"Effect":"Allow",
"Principal": {"AWS" : [ "arn:primary:default:user:joe" ]},
"Action" : [ "admin:GetPolicyInfo", "admin:ListPolicies" ],
"Resource" : [ "arn:aws:s3:::policy" ]} ]

meaning: user joe can read all policies and list all policies in the account. We are not trying to secure each policy separately. A user can operate on all policies or none.

set, unset (object operations)

admin:AttachPolicy
admin:DetachPolicy

"arn : aws : s3 : : : user*"
"arn : aws : s3 : : : user/<username>"
"arn : aws : s3 : : : group*"
"arn : aws : s3 : : : group/<groupname>"

"Statement": [ 
{"Effect":"Allow",
"Principal": {"AWS" : [ "arn:primary:default:user:joe" ]},
"Action" : [ "admin:AttachPolicy", "admin:DetachPolicy" ],
"Resource" : [ "arn:aws:s3:::user*" ]} ]

meaning: user joe can attach and detach policies from all users. Here user is the resource that needs to be guarded, and hence the resource value will have user as the resource type.

AccessKey Admin Operations Authorization

Operation	Action	Resource/Values	Sample Statement
add list delete enable disable (object operation on a user)	admin:AddAccessKey admin:ListAccessKeys admin:RemoveAccessKey admin:EnableAccessKey admin:DisableAccessKey	"arn : aws : s3 : : : user*" "arn : aws : s3 : : : user/<username>"	None

Operation

Action

Resource/Values

Sample Statement

add
list
delete
enable
disable

(object operation on a user)

admin:AddAccessKey
admin:ListAccessKeys
admin:RemoveAccessKey
admin:EnableAccessKey
admin:DisableAccessKey

"arn : aws : s3 : : : user*"
"arn : aws : s3 : : : user/<username>"

None