Example Allow access only to notebooks that a user creates based on tagging The

Example allow access only to notebooks that a user

This preview shows page 216 - 219 out of 395 pages.

allows the actions, the condition context keys limit allowed actions as indicated. Example – Allow access only to notebooks that a user creates based on tagging The example policy statement below, when attached to a role or user, allows the IAM user to work only with notebooks that they have created. This policy statement uses the default tag applied when a notebook is created. In the example, the StringEquals condition operator tries to match a variable representing the current users IAM user ID ( {aws:userId} ) with the value of the tag creatorUserID . If the tag creatorUserID hasn't been added to the notebook, or doesn't contain the value of the current user's ID, the policy doesn't apply, and the actions aren't allowed by this policy. If no other policy statements allow the actions, the user can only work with notebooks that have this tag with this value. { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:DescribeEditor", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}" } } } ] } 210
Image of page 216
Amazon EMR Management Guide Identity-Based Policy Examples Example –Require notebook tagging when a notebook is created In this example, the RequestTag context key is used. The CreateEditor action is allowed only if the user does not change or delete the creatorUserID tag is added by default. The variable ${aws:userId}, specifies the currently active user's User ID, which is the default value of the tag. The policy statement can be used to help ensure that users do not remove the createUserId tag or change its value. { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:CreateEditor" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "elasticmapreduce:RequestTag/creatorUserId": "${aws:userid}" } } } ] } This example requires that the user create the cluster with a tag having the key string dept and a value set to one of the following: datascience , analytics , operations . { "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticmapreduce:CreateEditor" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "elasticmapreduce:RequestTag/dept": [ "datascience", "analytics", "operations" ] } } } ] } Example –Limit notebook creation to tagged clusters, and require notebook tags This example allows notebook creation only if the notebook is created with a tag that has the key string owner set to one of the specified values. In addition, the notebook can be created only if the cluster has a tag with the key string department set to one of the specified values. { "Version": "2012-10-17", "Statement": [ 211
Image of page 217
Amazon EMR Management Guide Identity-Based Policy Examples { "Action": [ "elasticmapreduce:CreateEditor" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "elasticmapreduce:RequestTag/owner": [ "owner1", "owner2", "owner3" ], "elasticmapreduce:ResourceTag/department": [ "dep1", "dep3" ] } } } ] } Example –Limit the ability to start a notebook based on tags This example limits the ability to start notebooks only to those notebooks that have a tag with the key string owner set to one of the specified values. Because the Resource element is used to specify only the editor , the condition does not apply to the cluster, and it does not need to be tagged.
Image of page 218
Image of page 219

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors