Reducing broad AWS IAM policy permissions.
search cancel

Reducing broad AWS IAM policy permissions.

book

Article ID: 399485

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

Policies with asterisks (*) within an AWS IAM policy grant permission to all resources.  

Examples:

cloudwatch:Get*

iam:Get*

s3:Get*

Resolution

Broad policies can be restricted by specifying the granular permissions that fall under the all (*) permission. 

Example: Instead of using iam:Get*, the policy should list each desired permission that falls under it. 

  • iam:Get*
      • iam:GetUser
      • iam:GenerateCredentialReport
      • iam:GetCredentialReport
      • iam:ListGroups
      • iam:GetGroup
      • iam:ListUsers
      • iam:ListPolicies
      • iam:GetPolicy
      • iam:GetRole
      • iam:ListRoles
      • iam:GetAccountPasswordPolicy
      • iam:ListServerCertiticates
      • iam:ListVirtualMFADevices
      • iam:ListMFADevices
      • iam:ListAccessKeys
      • iam:GetAccountSummary
      • iam:ListEntitiesForPolicy
      • iam:GetPolicyVersion
      • iam:List
      • iam:Get

Note: This is not a complete list of all permissions under iam:Get*.
Note: Cloudhealth auto-generated account IAM polices DO make use of (*).

The following documentation details more granular policies supported in the Tanzu CloudHealth Platform. List of IAM Role Policies in Tanzu CloudHealth Platform 

Powered by Wolken Software