CloudTruth Documentation
Sign InAPIIntegrationsGitHubVisit our website
  • Overview
  • Getting Started
  • Architecture
    • 🔒Security Overview
  • Copilot
  • 🏢Org management
    • Account Setup
    • Access Control
      • 🔑API Tokens
      • 🌐Protecting Projects and Environments
      • 👥Users
    • Audit Log
  • 🛠️Config Management
    • Projects
    • Parameters
      • Sharing Config Data
      • Parameter Management
        • Internal Values
          • Dynamic Values
        • External Values
          • Terraform Remote State Files
        • Parameter Override
        • Environment Value Override
      • Parameter and Parameter Value Inheritance
      • Value Comparison
      • Value History
      • Value Validation
      • Value Expiration
    • Environments and Tags
    • Templates
      • 📒Sample Templates
    • Actions
      • Import Actions
      • Push Actions
    • CLI & API
      • CloudTruth CLI
      • Rest API
    • Integrations
      • Argo CD
      • Atlassian Compass
      • AWS
        • AWS Connection
        • AWS Role
          • CloudFormation
          • Terrraform
          • AWS Console
        • Parameter Store (SSM)
        • S3
        • Secrets Manager
      • Azure Key Vault
      • Bitbucket Pipelines
      • Docker
      • Docker Compose
      • GitHub
      • GitHub Actions
      • GitLab
      • Harness
      • Jenkins
      • Kubernetes
      • Pulumi
      • Terraform
      • Terragrunt
      • Explorer
      • Circle CI
    • Events, Notifications, Webhooks
    • Types
  • 🔎REPORTING
    • Compare
    • History
    • Expirations
  • 🚀PRODUCT
    • What is CloudTruth?
    • Interactive Demo
    • Kubernetes
    • Terraform
    • CI/CD Pipeline Configuration
    • Cloud CMDB
    • Secrets Management
    • GitOps
    • Our Manifesto
    • Open Source
    • FAQs
    • Our Mission
  • 📚Reference
    • 🎓Quick Start Videos
      • What is CloudTruth?
      • CloudTruth in Action
      • Environments and Projects
      • Secrets, Parameters, ENV variables
      • Audit Logs, RBAC, SSO
      • Containers - Kubernetes, Docker
      • Infrastructure as Code (IaC) - Terraform, Cloudformation, CDK, Azure Bicep, Pulumi
      • CICD Pipelines - GitHub Actions, ArgoCD, Jenkins, CircleCI, Harness, GitLab Pipelines
      • AWS Videos - Secret Manager, Parameter Store, S3, IAM
      • Azure Videos - Azure DevOps, Azure Bicep, PowerShell
    • Knowledge Base
      • Best Practices
        • Versioned Releases
      • CLI
        • History comparison of deleted parameters with null values
      • Integrations
        • Advanced AWS IAM policy permissions
        • K8s pull image from private Docker registry
        • S3 Region Selection
      • Templates
        • Templates render quotations in key values as quot
    • Roadmap and New Features
    • JMESPath Reference
    • REST API
Powered by GitBook

Copyright© 2023 CloudTruth

On this page
  • Creating restrictive IAM integration policies
  • Overview
  • Resolution

Was this helpful?

  1. Reference
  2. Knowledge Base
  3. Integrations

Advanced AWS IAM policy permissions

PreviousIntegrationsNextK8s pull image from private Docker registry

Last updated 3 years ago

Was this helpful?

Creating restrictive IAM integration policies

Overview

Your organizations security policies may require you to restrict CloudTruth integration access to specific in your AWS account. CloudTruth verifies integration permissions by querying a key _cloudtruth_test_. You will need to provide access to _cloudtruth_test_* in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected.

Without _cloudtruth_test_* allowed the integration status will show the following errors.

Secrets Manager Details: Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission.

SSM Details: Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission.

Resolution

Below are examples that add the _cloudtruth_test_* resource to your specific inline policy along with a sample included resource.

AWS Secret Manager

This example inline policy allows access to all secrets that start with the prefix sample and allows the integration health check _cloudtruth_test_.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListSecrets",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        },
        {
            "Sid": "SecretAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:sample*",
                "arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*"
            ]
        }
    ]
}

SSM Parameter store

This example policy allows access to all parameters that start with the prefix sample and allows the integration health check _cloudtruth_test_.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterList",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Sid": "ParameterAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/sample*",
                "arn:aws:ssm:*:*:parameter/_cloudtruth_test_*"
            ]
        }
    ]
}

S3

S3 does not explicitly need a permission to allow _cloudtruth_test_. The following is an example on how you can limit the S3 integration to only get data from a specific bucket YOUR_BUCKET_NAME.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketSelection",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME/*",
                "arn:aws:s3:::YOUR-BUCKET-NAME"
            ]
        }
    ]
}
📚
resources