DEV Community

Cover image for Techniques For Writing Least Privilege IAM Policies
πŸš€ Vu Dao πŸš€
πŸš€ Vu Dao πŸš€

Posted on β€’ Edited on

3 3

Techniques For Writing Least Privilege IAM Policies

#devops #aws #iam #policy

  • Least privilege is a principle of granting only the permissions required to complete a task.

  • For example, if you have an Amazon Elastic Compute Cloud (Amazon EC2) instance that needs to access an Amazon Simple Storage Service (Amazon S3) bucket to get configuration data, you should only allow read access to the specific S3 bucket that contains the relevant data.

  • The main elements of a policy statement are:

Effect: Specifies whether the statement will Allow or Deny an action.

Action: Describes a specific action or actions that will either be allowed or denied to run based on the Effect entered. API actions are unique to each service. For example, s3:CreateBucket is an Amazon S3 service API action and IAM action that enables an IAM Principal to create an S3 bucket.

NotAction: Can be used as an alternative to using Action. This element will allow an IAM principal to invoke all API actions to a specific AWS service except those actions specified in this list.

Resource: Specifies the resourcesβ€”for example, an S3 bucket or objectsβ€”that the policy applies to in Amazon Resource Name (ARN) format.

NotResource: Can be used instead of the Resource element to explicitly match every AWS resource except those specified.

Condition: Allows you to build expressions to match the condition keys and values in the policy against keys and values in the request context sent by the IAM principal. Condition keys can be service-specific or global. A global condition key can be used with any service. For example, a key of aws:CurrentTime can be used to allow access based on date and time.

Alt Text

Here is an example of how to set policy for users with AWS access console can rotate their Access keys but not others using Condition combine with tag

  • Add tag to IAM user
    Alt Text

  • Create policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:ListUserPolicies"
            ],
            "Resource": [
                "arn:aws:iam::111111111111:user/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/groupname": "developteam"
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Ref: https://aws.amazon.com/blogs/security/techniques-for-writing-least-privilege-iam-policies/

profile
Sentry
 Promoted

Sentry image

See why 4M developers consider Sentry, β€œnot bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (0)

profile
Pieces.app
 Promoted

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

Read next

giveitatry profile image

How to Install k3s with High Availability (HA)

giveitatry -

nolunchbreaks_22 profile image

πŸš€ Mastering Docker for DevOps Success 🐳

Osagie Anolu -

ianbrumby profile image

Handling Paginated Results Seamlessly with AWS Step Functions

Ian -

ragul_21 profile image

How to Create a Lambda Function to Export IAM Users to S3 as a CSV File

Ragul.M -

πŸ‘‹ Kindness is contagious

Please leave a ❀️ or a friendly comment on this post if you found it helpful!

Okay