# Advanced AWS IAM policy permissions ## Creating restrictive IAM integration policies ### Overview Your organizations security policies may require you to restrict CloudTruth integration access to specific [resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) in your AWS account. CloudTruth verifies integration permissions by querying a key `_cloudtruth_test_`. You will need to provide access to `_cloudtruth_test_*` in the AWS Secret Manager and SSM inline policies in order for the integration status to show connected. Without `_cloudtruth_test_*` allowed the integration status will show the following errors. {% hint style="danger" %} **Secrets Manager Details:** Unable to complete a Secrets Manager operation. Please check your IAM policy for the 'secretsmanager:DescribeSecret' permission. {% endhint %} {% hint style="danger" %} **SSM Details:** Unable to complete an SSM operation. Please check your IAM policy for the 'ssm:GetParameter' permission. {% endhint %} ### **Resolution** Below are examples that add the `_cloudtruth_test_*` resource to your specific inline policy along with a sample included resource. **AWS Secret Manager** This example inline policy allows access to all secrets that start with the prefix `sample` and allows the integration health check `_cloudtruth_test_`. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ListSecrets", "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" }, { "Sid": "SecretAccess", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:sample*", "arn:aws:secretsmanager:*:*:secret:_cloudtruth_test_*" ] } ] } ``` **SSM Parameter store** This example policy allows access to all parameters that start with the prefix `sample` and allows the integration health check `_cloudtruth_test_`. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ParameterList", "Effect": "Allow", "Action": "ssm:DescribeParameters", "Resource": "*" }, { "Sid": "ParameterAccess", "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter" ], "Resource": [ "arn:aws:ssm:*:*:parameter/sample*", "arn:aws:ssm:*:*:parameter/_cloudtruth_test_*" ] } ] } ``` **S3** S3 does not explicitly need a permission to allow `_cloudtruth_test_`. The following is an example on how you can limit the S3 integration to only get data from a specific bucket `YOUR_BUCKET_NAME`. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "BucketSelection", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "BucketAccess", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::YOUR-BUCKET-NAME/*", "arn:aws:s3:::YOUR-BUCKET-NAME" ] } ] } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudtruth.com/reference/knowledge-base/integrations/advanced-aws-iam-policy-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.