I have a problem with restricting the access to AWS Elastic Beanstalk to specific environments. The goal is to create a policy that allows an IAM user to access the complete elastic beanstalk service (including creating new apps and environments), but completely deny access to the production environment in a specific app.
What I've tried is this (mainly copied from here), but it doesn't seem to work apparently - the user just with this policy attached gets access to all of AWS like the root user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DeleteApplicationVersion"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeAccountAttributes",
"elasticbeanstalk:AbortEnvironmentUpdate",
"elasticbeanstalk:TerminateEnvironment",
"rds:*",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"autoscaling:*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"sns:*",
"elasticbeanstalk:RestartAppServer",
"s3:*",
"cloudformation:*",
"elasticloadbalancing:*",
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:SwapEnvironmentCNAMEs",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ApplyEnvironmentManagedAction",
"cloudwatch:*",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:List*",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:UpdateEnvironment",
"ec2:*",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:DescribeConfigurationSettings",
"sqs:*",
"dynamodb:CreateTable",
"dynamodb:DescribeTable"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"arn:aws:iam::123456789012:role/aws-elasticbeanstalk-ec2-role",
"arn:aws:iam::123456789012:role/aws-elasticbeanstalk-service-role",
"arn:aws:iam::123456789012:instance-profile/aws-elasticbeanstalk-ec2-role"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:AddTags",
"elasticbeanstalk:ListPlatformVersions"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:AddTags",
"elasticbeanstalk:Describe*"
],
"Resource": [
"arn:aws:elasticbeanstalk:*::platform/*",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:application/*",
"arn:aws:elasticbeanstalk:*::solutionstack/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
],
"Condition": {
"StringNotEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:<region>:<account id>:environment/<app name>/<environment name>"
]
}
}
}
]
}
The page your're referring is for restricting specific EB with applications not for envs.
This doc says about condition keys for Elastic Beanstalk actions,
... you can see the explanations and examples more.
The bottom line is that changing
"elasticbeanstalk:InApplication"to"elasticbeanstalk:FromEnvironment"would work.