DEV Community

Cover image for Techniques For Writing Least Privilege IAM Policies
๐Ÿš€ Vu Dao ๐Ÿš€
๐Ÿš€ Vu Dao ๐Ÿš€

Posted on โ€ข Edited on

3 3

Techniques For Writing Least Privilege IAM Policies

  • Least privilege is a principle of granting only the permissions required to complete a task.

  • For example, if you have an Amazon Elastic Compute Cloud (Amazon EC2) instance that needs to access an Amazon Simple Storage Service (Amazon S3) bucket to get configuration data, you should only allow read access to the specific S3 bucket that contains the relevant data.

  • The main elements of a policy statement are:

Effect: Specifies whether the statement will Allow or Deny an action.

Action: Describes a specific action or actions that will either be allowed or denied to run based on the Effect entered. API actions are unique to each service. For example, s3:CreateBucket is an Amazon S3 service API action and IAM action that enables an IAM Principal to create an S3 bucket.

NotAction: Can be used as an alternative to using Action. This element will allow an IAM principal to invoke all API actions to a specific AWS service except those actions specified in this list.

Resource: Specifies the resourcesโ€”for example, an S3 bucket or objectsโ€”that the policy applies to in Amazon Resource Name (ARN) format.

NotResource: Can be used instead of the Resource element to explicitly match every AWS resource except those specified.

Condition: Allows you to build expressions to match the condition keys and values in the policy against keys and values in the request context sent by the IAM principal. Condition keys can be service-specific or global. A global condition key can be used with any service. For example, a key of aws:CurrentTime can be used to allow access based on date and time.

Alt Text

Here is an example of how to set policy for users with AWS access console can rotate their Access keys but not others using Condition combine with tag

  • Add tag to IAM user
    Alt Text

  • Create policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:ListUserPolicies"
            ],
            "Resource": [
                "arn:aws:iam::111111111111:user/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/groupname": "developteam"
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Ref: https://aws.amazon.com/blogs/security/techniques-for-writing-least-privilege-iam-policies/

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

๐Ÿ‘‹ Kindness is contagious

Please leave a โค๏ธ or a friendly comment on this post if you found it helpful!

Okay