You could also write your own policy where you "deny everything" and then have NotResource listing of things you need to have access to. This way you could keep using AWS managed policy (to allow access to services and actions) and then attach your own policy to define the scope of it. In reality, this can easily break things so please test it carefully first. In worst case you will also need to define what services and actions your own policy will apply, and effectively rewriting AWS managed policy :-/
It is fairly common to use 'Resource': '*' in policies for a role of a resource that executes some actions. If the action is not allowed by the role the action will not even be tried.
The restriction is often in the receiving end of the actions (in this case the S3 bucket). In the bucket policy you can specify exactly who is allowed to do what.
So it makes sense to still use the standard AWS managed policies. If you lookup some terraform modules and look for common managed policy names you will see they are often used with resource '*'.
You could create few other things to restrict access:
- Boundary Permissions (usually used to prevent users from using any 'forbidden' services)
- Security Control Policies (usually used in an organisation to disallow certain thing from happening in the member accounts)
Although as said I think in this case it is not necessary.
You should consider implementing whats termed "least privilege", allowing only explicitly-specified principals the actions and resources they need to perform their business function and possibly denying access to all other principals.
A great reference for IAM is Effective IAM
- Have problem with appspec.yml for deploy ruby on rails to ec2 instance with AWS CodeDeploy and AWS CodePipeline.Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- How do I make sure that the CodeDeploy agent is deployed when I use CloudFormation to provision Amazon EC2 instances?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- EXPERTpublished 10 months ago