Advanced AWS IAM policy permissions

Creating restrictive IAM integration policies

Overview

Your organizations security policies may require you to restrict CloudTruth integration access to specific resources in your AWS account. CloudTruth verifies integration permissions by querying a key _cloudtruth_test_. You will need to provide access to _cloudtruth_test_* in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected.

Without _cloudtruth_test_* allowed the integration status will show the following errors.

Secrets Manager Details: Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission.

SSM Details: Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission.

Resolution

Below are examples that add the _cloudtruth_test_* resource to your specific inline policy along with a sample included resource.

AWS Secret Manager

This example inline policy allows access to all secrets that start with the prefix sample and allows the integration health check _cloudtruth_test_.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListSecrets",
            "Effect": "Allow",
            "Action": "secretsmanager:ListSecrets",
            "Resource": "*"
        },
        {
            "Sid": "SecretAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:sample*",
                "arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*"
            ]
        }
    ]
}

SSM Parameter store

This example policy allows access to all parameters that start with the prefix sample and allows the integration health check _cloudtruth_test_.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterList",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Sid": "ParameterAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/sample*",
                "arn:aws:ssm:*:*:parameter/_cloudtruth_test_*"
            ]
        }
    ]
}

S3 does not explicitly need a permission to allow _cloudtruth_test_. The following is an example on how you can limit the S3 integration to only get data from a specific bucket YOUR_BUCKET_NAME.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketSelection",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        },
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET-NAME/*",
                "arn:aws:s3:::YOUR-BUCKET-NAME"
            ]
        }
    ]
}

PreviousIntegrations NextK8s pull image from private Docker registry

Last updated 2 years ago