Using policies in Orchesto

Orchesto policies are mimicking AWS policies and takes the default stance that everything is disallowed until allowance explicitly are definied in policies. This helps to ensure an secure execution environment.

The result of a policy is Accept or Deny and it is evaluated in the following way:

Policy Evaluation

Evaluation of policies

When a principal tries to use the Orchesto GUI management console, the Orchesto API, or the Orchesto CLI, that principal sends a request to Orchesto. When Orchesto receives the request, it completes several steps to determine whether to allow or deny the request.

  1. Authentication - Authenticates the principal that makes the request.
  2. Processing the Request Context – Orchesto processes the information gathered in the request to determine which policies apply to the request.
  3. Evaluating Policies - Orchesto evaluates all of the policy types, which affect the order in which the policies are evaluated.
  4. Determining Whether a Request Is Allowed or Denied- Orchesto processes the policies against the request context to determine whether the request is allowed or denied.

  5. ARN (Amazon Resource Name)

    • Uniquely identifies AWS resources. Format: arn:partition:service:region:account:resource
  6. Principal ARN

    • An element describing a user that is allowed or denied access to a resource "AWS":account-ARN.

    • Example:

"Principal":{"AWS":"arn:aws:iam:::user/admin/ingvar"}

  • Resource ARN

    • An element describing the resource valid for an action or a principal.

    • Example:

"arn:aws:s3:::bucketName/"
"arn:aws:s3:::prefix/bucketName/*"
"arn:aws:s3:::bucketName/ObjectName*"

  • The evaluated decision for a requested action on a resource is the combination of ALL policys involved for the user AND the resource.
  • The default decision is DENY
  • A DENY will take precedence over any ALLOW decision
  • A policy can be:
    • Inline policy - Just valid for a specific user account. It is a part of the user definition. Defines Actions and Resources.
      • When the user is removed, the inline policy is also removed.
    • Attached policy - A managed policy that can be created and attached to users or to a user group. Defines Actions and Resources.
      • Can be deleted when the policy is detached from all users and groups, i.e. not active.
    • Bucket policy - A policy defining Actions, Resources and Principal, for a bucket. Hence, there is no need for this policy to be attached to a user or group.

Introduction to writing policys

All policy abbreviations are CaSe SensiTive

  • All bucket and object names used in policys are case sensitive
  • Example:
    Use "s3" and not "S3"-
    use "iam" and not "IAM"

Editing hints

  • The policy editor in the Orchesto GUI includes sanity checks - both for JSON validation and validation of the effect, actions, resource statements etc.
  • The editor allows 4 previous versions. If all 5 are stored, genreally delete the oldest one first.
  • It is a good practise to always save a policy JSON file locally in a text editor, in a CVS editor etc.
  • Never edit a policy in use, create a test account and add the new policy to verify the result.
  • Using a definition of actions with wildcard (like s3:*), operates broadly and can have major consequences. It is better to define each action explicitly, e.g.,:
    • "s3:PutObject", "s3:GetObject", "s3:DeleteObject", etc

A policy defines:

  • Effect:
    Allow/Deny
  • Action:
    s3: specific actions
    iam: specific actions
    Orchesto specific actions (t.b.d)
  • Resource (sample):

    • S3 resources:
      "arn:aws:s3:::*"
      "arn:aws:s3:::bucketName*"
      "arn:aws:s3:::bucketName/"
      "arn:aws:s3::: prefix/bucketName/*"
      "arn:aws:s3::: bucketName/ObjectName*"
      "arn:aws:s3::: bucketName/Subfolder/ObjectName*"

    • IAM resources:
      arn:aws:iam::orchesto:policy/policy1
      arn:aws:iam::orchesto:policy/policy2
      arn:aws:iam::orchesto:user/alice
      arn:aws:iam::orchesto:user/john arn:aws:iam::orchesto:group/demo-group1

A bucket policy must contain a Principal, describing to whom / what the policy is valid for.

Note

If a policy is attached to a user or group, the Principal is not needed.

Example of a principal definition

"Principal": {
    "AWS": [
    "arn:aws:iam::orchesto:user/admin/ingvar"
     ]
}

The "Principal" is constructed with the mandatory parts:

  • Principal: "AWS": "arn:aws:iam:::user,
  • an optional /prefix
  • the iam /user name
arn:aws:iam:::user/alice
arn:aws:iam:::user/stockholm/bob

A policy is constructed as:

  • A JSON formated file
  • Must start with the Version statement EXACTLY as written here: "Version":"2012-10-17".

  • Contains one or multiple comma separated arrays of statements, labeled with a "Sid" (Statement ID).

  • "Statement" is an array of "Sid"s, containing a list of "Name":, "Value" pairs.
  • A multi value array is possible

The start of the policy file

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"StatementID1-orAnyDescriptiveName",
            "Name1": "Value1",
            "Name2": "Value2"
        },
        {
            "Sid:"ID2",
            "Name3WithArrayOfValues" [
                "value3",
                "Value4"
            ]
        }
    ]
}

Policies with S3 specific actions

1. The following is an example of a user policy granting "Allow" for the following actions:

s3:CreateBucket,
s3:ListAllMyBuckets,
s3:GetBucketLocation

Note

For all these permissions, you set the relative-id part of the Resource ARN to "arn:aws:s3:::*" (for all other bucket / object actions, you must specify a "bucket" or "bucket / object" name).

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"SeeBucketsAndCreateNew",
            "Effect":"Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

2. A policy for managment console users needing access to a list of all buckets

  • If your user is going to use the Orchesto Web GUI to view the S3-buckets and be allowed to see the contents of any of these buckets, or use the CLI "ls command", then the user must have the following allowed actions:
    s3:ListAllMyBuckets
    s3:GetBucketLocation

Example policy to Allow listing of all buckets

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"statement1",
            "Effect":"Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

3. In addition, if a user needs the possibility to create / delete a bucket:

  • This policy defines the following actions:
    "s3:CreateBucket",
    "s3:DeleteBucket"
{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"statement2",
            "Effect":"Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}
  • The "Resource:" part can define additional criteria, for instance, defining a part of the bucket name.
    • arn:aws:s3:::app1*"

4. To read / write / delete objects in a bucket, an IAM user needs a policy with actions and defined resources.

"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:DeleteObject"

Or allow all S3 operations with:

"S3:*"

And a resource definition is like:

"Resource":"arn:aws:s3:::examplebucket/*"

The resulting policy definition is:

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"statement2",
            "Effect":"Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:GetObject",
                "s3:DeleteObject",
            ],
            "Resource": [
                "arn:aws:s3:::examplebucket/*"
            ]
        }
    ]
}

Use case A - Limit access to certain buckets and object names

A complete user / group policy

If this policy is attached to the user "Alice", or to a group Alice is member of, she can:

  • See all bucket names in the Orchesto instance
  • See all object names in buckets "demo1" and "demo2
  • Read, delete and add objects in bucket "demo2"
  • Deny any action to "secret*" objects in the "demo2" bucket

Note

Alice can still see the secret objects in the list, but she can not access them. In order to hide them totally, see the examples in the use case / Homefolder below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToSeeAListOfAllBucketsInTheConsole",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "ListTheBucketObjectsInSomeBucketsDefinedAsResource",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::demo1",
                "arn:aws:s3:::demo2"
            ]
        },
        {
            "Sid": "ReadWriteDeleteTheObjectsInOneBucket",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::demo2/*"
            ]
        },
        {
            "Sid": "DenyAllS3ActionsOnSecretObjects",
            "Effect": "Deny",
            "Action": [ "s3:*" ],
            "Resource": [ "arn:aws:s3:::demo2/secret*" ]
        }
    ]
}

Using wildcards

Resources can be further defined using wildcards, path conditions, etc.

  • Actions applied to:
    • Wildcard in bucket names
      "arn:aws:s3:::demobucket*
    • wildcard in object names
      "arn:aws:s3:::demobucket2/appl1*
    • A bucket can contain a sort of subdirectories represented by including a "/" in the object name.
    • The "/" is simply treated as a character in the object name
      arn:aws:s3:::demobucket2/application1/*
      "arn:aws:s3:::demobucket2/application2/subset1*
      • NOTE: S3 backends uses a flat storage space, although it is possible to prefix object names with "foldername/object1", creating a virtual file tree.
        In S3 backends user interface, or via AWS S3 client, it is possible to upload an empty object with a trailing "/" in the name, like folder1/ and folder2/.
  • If subsequantly uploading objects with the names folder1/object1 and folder2/object2, the client used to view the S3 bucket will display it as a file tree.
folder1
└── object1
folder2
└── object2
  • Although an S3 backend will actually store it as 4 different objects, there are no folders in an S3 bucket!
    bucketname/folder1
    bucketname/folder1/object1
    bucketname/folder2
    bucketname/folder2/object2

  • If on the other hand, a single object is uploaded with the name folder3/object3, it will not create the intermediate folder3/ object, but a client might display it as a folder structure. (Either via Orchesto Web GUI, AWS S3 client or directly via the S3 backend GUI.)

Use case B - / Home folder

For a better understanding of this use case, see also: aws writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

  • A "file share" with private subdirectories in bucket1/home.
  • A common folder with full access in bucket1/common.
  • Note: The behaviour if using a file backend might be unpredictable if the file system can't handle file names with trailing "/". Especially when deleting the last object in a virtual sub folder.

A virtual file tree structure

common
home
├── alice
├── john
└── mary
  • This could be represented in a resource definition as:
"arn:aws:s3:::bucket1/common/*  
"arn:aws:s3:::bucket1/home/alice/*  
"arn:aws:s3:::bucket1/home/john/*   
"arn:aws:s3:::bucket1/home/mary/*
  • The task to solve is that the users should be allowed to list the private directory and its contents, but not others. We need the following costruct:
    • Alice should see (list) objects in bucket1/home/alice/
      and create/read/delete all objects (wildcard) bucket1/home/alice/*.
    • Alice should NOT see or change objects in bucket1/home/john/*.
  • This could be achieved by adding a DENY to all other existing subdirectories, but this will be difficult to keep updated when new "users" are added.
  • Another way to accomplish this is to use the "Condition" feature together with "Delimiter" and "Prefix".

On the group level, add the following for all home bucket users (in addition to a policy allowing "listAllMyBuckets"):

Policy: Allow Listing of Fileshare Bucket and Full Access to the Common Folder

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfCommonFolder",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1"
            ],
            "Condition": {"StringLike": {"s3:prefix": ["common"]}}
        },
        {
            "Sid": "AllowAllS3ActionsInCommonFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::bucket1/common/",
                "arn:aws:s3:::bucket1/common/*"
            ]
        }
    ]
}

Policy: Allow Full Access to Own Home Folder for User Alice

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingOfUserFolder",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "home/alice/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowAllS3ActionsInUserFolder",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1/home/alice/*"
      ]
    },
    {
      "Sid": "DenyS3DeleteActionOfTheUserFolder",
      "Effect": "Deny",
      "Action": [
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1/home/alice/"
      ]
    }
  ]
}

Use case C - IAM user administrator

This scenario is to create a policy attached to a group (or user) allowing the following:

  • Creating new users, and delete.
  • Setting login credentials, API keys, delete and update password.
  • Set group memberships and remove from group.
  • Do not allow creating new groups.
  • Attach or detach an existing policy to users, but do not allow to alter existing policys.
  • Disallow attach/detach policys to groups

In the following example, all policy statements are added in the same policy file, organized according to which resource is involved.

  • It is possible to use wildcards ("arn:aws:iam:::*") in the iam resources definition if required.

Policy - IAM User administrator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListUsers",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListGroupsForUser",
                "iam:ListPolicies",
                "iam:GetUser",
                "iam:GetLoginProfile",
                "iam:GetUserPolicy",
                "iam:GetPolicy",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListUserPolicies",
                "iam:ListAccessKeys"
            ],
            "Resource": [
                "arn:aws:iam:::user/*"
            ]
        },
        {
            "Sid": "ModifyUsers",
            "Effect": "Allow",
            "Action": [
                "iam:CreateUser",
                "iam:UpdateUser",
                "iam:CreateAccessKey",
                "iam:UpdateAccessKey",
                "iam:ChangePassword",
                "iam:CreateLoginProfile",
                "iam:PutUserPolicy",
                "iam:AttachUserPolicy",
                "iam:UpdateLoginProfile",
                "iam:AddUserToGroup",
                "iam:DeleteUserPolicy",
                "iam:DeleteLoginProfile",
                "iam:DetachUserPolicy",
                "iam:DeleteAccessKey",
                "iam:RemoveUserFromGroup",
                "iam:DeleteUser"
            ],
            "Resource": [
                "arn:aws:iam:::user/*"
            ]
        },
        {
            "Sid": "ListGroups",
            "Effect": "Allow",
            "Action": [
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:ListAttachedGroupPolicies"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "DenyCreateDeleteGroup",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteGroup",
                "iam:CreateGroup"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "DenyChangeGroupPolicys",
            "Effect": "Deny",
            "Action": [
                "iam:AttachGroupPolicy",
                "iam:DeleteGroupPolicy",
                "iam:DetachGroupPolicy",
                "iam:PutGroupPolicy"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "ModifyGroupMembers",
            "Effect": "Allow",
            "Action": [
                "iam:AddUserToGroup",
                "iam:RemoveUserFromGroup",
                "iam:UpdateGroup"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "AllowViewPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicies",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "arn:aws:iam:::policy/*"
            ]
        },
        {
            "Sid": "AttachDetachPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:AttachUserPolicy",
                "iam:DetachUserPolicy"
            ],
            "Resource": [
                "arn:aws:iam:::policy/*"
            ]
        }
    ]
}

Use case D - Immutable bucket

Scenario

  • Normal users can add objects to a bucket, having versioning on buckets.
    • Overwrinting the object will just add a new version. The old one still exists.
  • Separating the administration of IAM resources (users, groups, policies) from the administration of buckets and objects.
  • The group policy to allow object delete is INLINE to the admin group in order to prevent someone from adding the policy to another group.

Users in group immutable-users:

  • Upload objects:

    • Creates a new version
  • Read buckets:

    • Read only the latest version
  • No object delete

Users in group immutable-admins:

  • Can upload and read objects

  • Can delete latest version of objects

  • Can delete all versions of objects

Resources:

  • Bucket: arn:aws:s3:::demo-immutablebucket1"

    • Contains objects with versioning
  • Group: arn:aws:iam::orchesto:group/immutable-users

    • Contains member user bucket-user1
  • User: arn:aws:iam::orchesto:user/bucket-user1

  • Managed policy: arn:aws:iam::orchesto:policy/Immutable-bucket

    • Deny delete, allow write
  • Managed policy: arn:aws:iam::orchesto:policy/ListAllMyBuckets

    • Allow list bucket names
  • Group: arn:aws:iam::orchesto:group/immutable-admins

  • Inline policy: Allow-admin-immutable-bucket-objects
    • Allow write and delete of objects
    • Deny delete of the bucket itself
  • Managed policy: arn:aws:iam::orchesto:policy/ListAllMyBuckets
    • Allow list bucket names
  • User: arn:aws:iam::orchesto:user/bucket-admin1

  • Group: arn:aws:iam::orchesto:group/iam-user-admins

  • User: arn:aws:iam::orchesto:user/iam-admin1
  • Inline policy: AllowUserAdmin
    • Allowing full admin of IAM resources

Managed policy: arn:aws:iam::orchesto:policy/Immutable-bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyDelete",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1",
                "arn:aws:s3:::demo-immutablebucket1/\*"
            ]
          },
          {
            "Sid": "listbBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1"
            ]
          },
          {
            "Sid": "ReadWriteToBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1/\*"
            ]
        }
    ]
}

Managed policy: arn:aws:iam::orchesto:policy/ListAllMyBuckets

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowToSeeAListOfAllBucketsInTheConsole",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Inline policy: Allow-admin-immutable-bucket-objects

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowDeleteObject",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1/*"
            ]
        },
        {
            "Sid": "listbBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1"
            ]
        },
        {
            "Sid": "ReadWriteToBucket",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::demo-immutablebucket1/*"
            ]
        }
    ]
}

Inline policy: AllowUserAdmin

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListUsers",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListUsers",
                "iam:GetLoginProfile",
                "iam:GetPolicy",
                "iam:GetUserPolicy",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicies",
                "iam:ListUserPolicies"
            ],
            "Resource": [
                "arn:aws:iam:::user/*"
            ]
        },
        {
            "Sid": "ModifyUsers",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateUser",
                "iam:DeleteUser",
                "iam:PutUserPolicy",
                "iam:UpdateLoginProfile",
                "iam:UpdateUser",
                "iam:AttachUserPolicy",
                "iam:DeleteLoginProfile",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey",
                "iam:DeleteUserPolicy",
                "iam:DetachUserPolicy",
                "iam:RemoveUserFromGroup",
                "iam:AddUserToGroup",
                "iam:UpdateAccessKey",
                "iam:CreateLoginProfile"
            ],
            "Resource": [
                "arn:aws:iam:::user/*"
            ]
        },
        {
            "Sid": "ListGroups",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:GetGroup"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "DenyCreateDeleteGroup",
            "Effect": "Deny",
            "Action": [
                "iam:CreateGroup",
                "iam:DeleteGroup"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "DenyChangeGroupPolicys",
            "Effect": "Deny",
            "Action": [
                "iam:DetachGroupPolicy",
                "iam:PutGroupPolicy",
                "iam:AttachGroupPolicy",
                "iam:DeleteGroupPolicy"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "ModifyGroupMembers",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateGroup",
                "iam:AddUserToGroup",
                "iam:RemoveUserFromGroup"
            ],
            "Resource": [
                "arn:aws:iam:::group/*"
            ]
        },
        {
            "Sid": "AllowViewPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicies",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "arn:aws:iam:::policy/*"
            ]
        },
        {
            "Sid": "AttachDetachPolicy",
            "Effect": "Allow",
            "Action": [
                "iam:AttachUserPolicy",
                "iam:DetachUserPolicy"
            ],
            "Resource": [
                "arn:aws:iam:::policy/*"
            ]
        }
    ]
}

Use case E - Full admin rights to all resources

Warning

This policy, when added to a user or group, enables all actions on all IAM and S3 resources.

This policy is using wildcard for both "Actions" and "Resources" together with "Allow"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowFullAccessToAllS3Resoures",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "AllowFullAccessToAllIamResoures",
            "Action": "iam:*",
            "Effect": "Allow",
            "Resource": "arn:aws:iam:::*"
        }
    ]
}