Comment on page
Advanced AWS IAM policy permissions
Your organizations security policies may require you to restrict CloudTruth integration access to specific resources in your AWS account. CloudTruth verifies integration permissions by querying a key
_cloudtruth_test_
. You will need to provide access to _cloudtruth_test_*
in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected.Without
_cloudtruth_test_*
allowed the integration status will show the following errors.Secrets Manager Details: Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission.
SSM Details: Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission.
Below are examples that add the
_cloudtruth_test_*
resource to your specific inline policy along with a sample included resource.AWS Secret Manager
This example inline policy allows access to all secrets that start with the prefix
sample
and allows the integration health check _cloudtruth_test_
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListSecrets",
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Sid": "SecretAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:sample*",
"arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*"
]
}
]
}
SSM Parameter store
This example policy allows access to all parameters that start with the prefix
sample
and allows the integration health check _cloudtruth_test_
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ParameterList",
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
},
{
"Sid": "ParameterAccess",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/sample*",
"arn:aws:ssm:*:*:parameter/_cloudtruth_test_*"
]
}
]
}
S3
S3 does not explicitly need a permission to allow
_cloudtruth_test_
. The following is an example on how you can limit the S3 integration to only get data from a specific bucket YOUR_BUCKET_NAME
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketSelection",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "BucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*",
"arn:aws:s3:::YOUR-BUCKET-NAME"
]
}
]
}
Last modified 1yr ago