You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This topic lists the different elements that you can use in EIM policy documents.


EIM policies are case sensitive. All elements must start with an upper-case letter.


ElementRequiredDescriptionExamples
StatementYes

The Statement element is the main one, and is required in every policy-document attribute. 

There is one Statement element per policy document that contains an array of one or more individual statements, corresponding to JSON blocks enclosed in braces { } and that contain at least an Action or NotAction, Effect and Resource or NotResource elements.

The order of these elements within the individual statement is not important.


"Statement":[
             {
              "Action":["..."],
              "Effect":"...",
              "Resource":["..."]
             },
             {
              "Action":["..."],
              "Effect":"...",
              "Resource":["..."],
			  "Sid":"...",
			 }
            ]
SidNoThe Sid (statement ID) element is an optional ID that you can add to individual statements. This enables you to give them a name according to your needs, but is not used by EIM to identify them.


"Sid":"Admin1"
ActionNo

The Action element specifies one or more actions that are allowed or denied. Every individual statement requires either the Action or the NotAction element. 

To specify an action, you must specify the service followed by a colon, and use the name of an API method (for example DescribeInstances). For more information, see http://docs.outscale.com/.

You must use one of the following codes:

  • For the OUTSCALE API: api
  • For Flexible Compute Unit (FCU): ec2
  • For Load Balancing Unit (LBU): elasticloadbalancing
  • For Elastic Identity Management (EIM): iam
  • For DirectLink: directconnect
  • For all the services above: *

Action names are case sensitive.

 The Action element is an array that contains one or more actions, enclosed in quotation marks and separated by commas.

You can use wildcards to replace parts of action names and thus specify several actions at the same time. You can for example specify all actions in all services or all actions in a specified service. You can also use wildcards to specify all actions regarding the same object type.


  • Action element specifying two actions:

    "Action":["ec2:DescribeInstances","ec2:RunInstances"]
  • Action element specifying all actions in all services:

    "Action":["*"]
  • Action element specifying all actions in EIM:

    "Action":["iam:*"]
  • Action element specifying all actions regarding volumes, that is actions that include the Volume string (AttachVolumeCreateVolumeDeleteVolumesDescribeVolumes, DeleteVolume):

    "Action":["ec2:*Volume*"]
NotActionNo

The NotAction element specifies one or more exceptions to a list of actions. Every individual statement requires either the Action or the NotAction element.

The NotAction element format is the same as the Action element one.

You can use the NotAction element to create shorter statements instead of specifying a long list of actions in the Action element. You can for example allow all actions using the Action element, except one or more actions that you specify in the NotAction element. As you need to explicitly allow actions, only specifying an action in the NotAction element alongside and allow does not grant permissions to all other actions.



NotAction element that excludes the DescribeInstances action from the permissions:

"NotAction":["ec2:DescribeInstances"]
  • If this element is associated with "Effect"="Deny" and a "Action"=["*"], all other actions than DescribeInstances are explicitly denied.
  • If this element is associated with "Effect"="Allow" and "Action"=["*"], all actions are allowed except DescribeInstances.
EffectYes

The Effect element specifies whether the statement explicitly allows or denies actions.

Valid values for the Effect element are either Allow or Deny.

By default, access to resources is denied until it is explicitly allowed in a policy statement. To enable users to access resources, you must set the Effect element to Allow. Setting the Effect element to Deny overrides any allow that may be set in another statement.*


"Effect":"Allow"
ResourceNo

The Resource element specifies the resources covered by the statement. Every individual statement requires either the Resource or the NotResource element. 

The Resource element contains an array of one or more resource specifications, enclosed in quotation marks and separated by commas.  

You must use the Outscale Resource Name format to specify the resources. You can specify individual resources, or use wildcards to specify a resource type, resources of a service or all resources. For more information, see EIM Policy Elements.



  • Resource element specifying an individual security group and an individual instance:

    "Resource":["arn:aws:ec2:eu-west-2:123456789000:security-group/sg-abcd1234","arn:aws:ec2:eu-west-2:123456789000:instance/i-abcd1234"]
  • Resource element specifying all resources in all services:

    "Resource":["*"]
  • Resource element specifying all FCU instances in eu-west-2 Region:

    "Resource":["arn:aws:ec2:eu-west-2:123456789000:instance/*"]
  • Resource element specifying all FCU and LBU resources:

    "Resource":["arn:aws:ec2:*","arn:aws:elasticloadbalancing:*"]
NotResourceNo

The NotResource element specifies one or more exceptions to a list of resources. Every individual statement requires either the Resource or the NotResource element.

The NotResource element format is the same as the Resource one.

You can use the NotResource element to create shorter statements instead of specifying a long list of resources in the Resource element. You can for example allow actions on all resources using the Resource element, except on one or more resources that you specify in the NotResource element.

NotResource element that excludes a security group from the list of resources:

"NotResource":["arn:aws:ec2:eu-west-2:123456789000:security-group/sg-abcd1234"]

If this element is associated with "Effect:Allow" and "Resources"="arn:aws:ec2:eu-west-2:123456789000:security-group/*", all listed actions in the Action element are allowed on all your security group except the one specified above.

*EIM policy evaluation logic and the difference between default and explicit deny:

When a user sends a request, EIM evaluates this request in regards of all applicable inline or managed policies.

If you did not explicitly allow the action contained in the request in a policy statement for this user, the action is denied. This is default deny. However, if you explicitly denied the actions in a policy statement for this user, this action is denied even though another policy statement allows it. This is explicit deny.

In other words, an allow can overrides a default deny, while an explicit deny overrides all allows and cannot be overriden.

The following flow chart shows the process to determine whether the action contained in a request is allowed or denied:

EIM Policy Evaluation Logic

 

 

 


AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.

Windows® is a registered trademark of Microsoft Corporation in the United States and/or other countries.