Advanced AWS IAM policy permissions
Your organizations security policies may require you to restrict CloudTruth integration access to specific resources in your AWS account. CloudTruth verifies integration permissions by querying a key
_cloudtruth_test_
. You will need to provide access to _cloudtruth_test_*
in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected.Without
_cloudtruth_test_*
allowed the integration status will show the following errors.Secrets Manager Details: Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission.
SSM Details: Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission.
Below are examples that add the
_cloudtruth_test_*
resource to your specific inline policy along with a sample included resource.AWS Secret Manager
This example inline policy allows access to all secrets that start with the prefix
sample
and allows the integration health check _cloudtruth_test_
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListSecrets",
"Effect": "Allow",
"Action": "secretsmanager:ListSecrets",
"Resource": "*"
},
{
"Sid": "SecretAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:sample*",
"arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*"
]
}
]
}
SSM Parameter store
This example policy allows access to all parameters that start with the prefix
sample
and allows the integration health check _cloudtruth_test_
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ParameterList",
"Effect": "Allow",
"Action": "ssm:DescribeParameters",
"Resource": "*"
},
{
"Sid": "ParameterAccess",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/sample*",
"arn:aws:ssm:*:*:parameter/_cloudtruth_test_*"
]
}
]
}
S3
S3 does not explicitly need a permission to allow
_cloudtruth_test_
. The following is an example on how you can limit the S3 integration to only get data from a specific bucket YOUR_BUCKET_NAME
.{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketSelection",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "BucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME/*",
"arn:aws:s3:::YOUR-BUCKET-NAME"
]
}
]
}
Last modified 1yr ago