# Advanced AWS IAM policy permissions

## Creating restrictive IAM integration policies

### Overview

Your organizations security policies may require you to restrict CloudTruth integration access to specific [resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in your AWS account. CloudTruth verifies integration permissions by querying a key `_cloudtruth_test_`. You will need to provide access to `_cloudtruth_test_*` in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected.

Without `_cloudtruth_test_*` allowed the integration status will show the following errors.

{% hint style="danger" %}
**Secrets Manager Details:** Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission.
{% endhint %}

{% hint style="danger" %}
**SSM Details:** Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission.
{% endhint %}

### **Resolution**

Below are examples that add the `_cloudtruth_test_*` resource to your specific inline policy along with a sample included resource.

**AWS Secret Manager**

This example inline policy allows access to all secrets that start with the prefix `sample` and allows the integration health check `_cloudtruth_test_`.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListSecrets",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        },
        {
            "Sid": "SecretAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:sample*",
                "arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*"
            ]
        }
    ]
}
```

**SSM Parameter store**

This example policy allows access to all parameters that start with the prefix `sample` and allows the integration health check `_cloudtruth_test_`.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterList",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Sid": "ParameterAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/sample*",
                "arn:aws:ssm:*:*:parameter/_cloudtruth_test_*"
            ]
        }
    ]
}
```

**S3**

S3 does not explicitly need a permission to allow `_cloudtruth_test_`. The following is an example on how you can limit the S3 integration to only get data from a specific bucket `YOUR_BUCKET_NAME`.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketSelection",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME/*",
                "arn:aws:s3:::YOUR-BUCKET-NAME"
            ]
        }
    ]
}
```