CloudWiki

Amazon Web Service (AWS)

IAM Policy

Permissions
IAM policy defines the permissions of an identity (users, groups, and roles) or a resource to either allow or deny access for the user to perform an action on a specific resource, regardless of the method that being used to perform the operation, meaning a user with an allowed action can perform the action from the AWS Management Console, the AWS CLI, or the AWS API.
aws_iam_policy
IAM Policy
attributes:
  • description - (Optional, Forces new resource) Description of the IAM policy.
  • name - (Optional, Forces new resource) The name of the policy. If omitted, Terraform will assign a random, unique name.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • path - (Optional, default "/") Path in which to create the policy. See IAM Identifiers for more information.
  • policy - (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide
  • tags - (Optional) Map of resource tags for the IAM Policy. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
IAM Policy
Resources do not "belong" to a
IAM Policy
Rather, one or more Security Groups are associated to a resource.
Create
IAM Policy
via Terraform:
The following HCL creates an IAM policy
Syntax:

resource "aws_iam_policy" "policy" {
 name        = "test_policy"
 path        = "/"
 description = "My test policy"

 # Terraform's "jsonencode" function converts a
 # Terraform expression result to valid JSON syntax.
 policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Action = [
         "ec2:Describe*",
       ]
       Effect   = "Allow"
       Resource = "*"
     },
   ]
 })
}

Create
IAM Policy
via CLI:
Parametres:

create-policy
--policy-name <value>
[--path <value>]
--policy-document <value>
[--description <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-policy --policy-name my-policy --policy-document file://policy

Best Practices for
IAM Policy

Categorized by Availability, Security & Compliance and Cost

Critical
EC2 with Admin access (*:*)
Warning
EC2 with high privileged policies
No items found.
Critical
ECS task with Admin access (*:*)
Warning
ECS task with high privileged policies
No items found.
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Warning
Ensure IAM policies that allow over privileges access to data are not created
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Critical
IAM User with Admin access (*:*)
Critical
IAM User with Admin access (*:*)
Warning
IAM User with high privileged policies
No items found.
Warning
IAM user can execute a Privilege Escalation by using AssumeRole
No items found.
Critical
IAM user can execute a Privilege Escalation by using AttachRolePolicy
No items found.
Critical
IAM user can execute a Privilege Escalation by using AttachUserPolicy
Critical
IAM user can execute a Privilege Escalation by using CreatePolicyVersion
Warning
IAM user can execute a Privilege Escalation by using PassRole
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and CreateFunction and lambda:InvokeFunction
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and CreatePipeline and PutPipelineDefinition
No items found.
Critical
IAM user can execute a Privilege Escalation by using PassRole and RunInstances
No items found.
Critical
IAM user can execute a Privilege Escalation by using UpdateAssumeRolePolicy and sts:AssumeRole
Critical
IAM user can execute a Privilege Escalation by using UpdateLoginProfile
No items found.
Critical
Lambda Admin access (*:*)
Warning
Lambda with high privileged policies
No items found.
Critical
Pod with Admin access (*:*)
Warning
Pod with high privileged policies
No items found.
Warning
Resource has access to get data from S3 bucket
No items found.
Critical
Resource with over permissive DynamoDB GetItem permissions
No items found.
Critical
Resource with over permissive ElastiCache permissions
No items found.
Critical
Resource with over permissive KMS permissions
No items found.
Critical
Resource with over permissive OpenSearch permissions
No items found.
Critical
Resource with over permissive RDS permissions
No items found.
Critical
Resource with over permissive S3 GetObject permissions
No items found.
Explore all the rules our platform covers
All Resources