I'm trying to limit the actions given within my IAM role statement but it is only working when full access is given (aoss:*
). I'm trying to limit this down to only allow users to have minimum access to the collection.
Below is my working example:
iamRoleStatements:
- Effect: Allow
Action:
- aoss:APIAccessAll
Resource:
- arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
- Effect: Allow
Action:
- aoss:DashboardsAccessAll
Resource:
- arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
- Effect: Allow
Action:
- aoss:*
Resource:
- '*'
I have had a look at the documentation and implemented the full list of actions to then try eliminate one by one, but with the full action list added it is still throwing an error. The example is shown below.
iamRoleStatements:
- Effect: Allow
Action:
- aoss:APIAccessAll
- aoss:DeleteCollection
- aoss:UpdateCollection
Resource:
- arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
- Effect: Allow
Action:
- aoss:DashboardsAccessAll
Resource:
- arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
- Effect: Allow
Action:
- aoss:BatchGetCollection
- aoss:BatchGetVpcEndpoint
- aoss:CreateAccessPolicy
- aoss:CreateCollection
- aoss:CreateSecurityConfig
- aoss:CreateSecurityPolicy
- aoss:CreateVpcEndpoint
- aoss:DeleteAccessPolicy
- aoss:DeleteSecurityConfig
- aoss:DeleteSecurityPolicy
- aoss:DeleteVpcEndpoint
- aoss:GetAccessPolicy
- aoss:GetAccountSettings
- aoss:GetPoliciesStats
- aoss:GetSecurityConfig
- aoss:GetSecurityPolicy
- aoss:ListAccessPolicies
- aoss:ListCollections
- aoss:ListSecurityConfigs
- aoss:ListSecurityPolicies
- aoss:ListTagsForResource
- aoss:ListVpcEndpoints
- aoss:UpdateAccessPolicy
- aoss:UpdateAccountSettings
- aoss:UpdateSecurityConfig
- aoss:UpdateSecurityPolicy
- aoss:UpdateVpcEndpoint
Resource:
- '*'
Any help would be greatly appreciated!
It's returning a 403 Forbidden error.
Am I correct in assuming that the following policies are working properly? By the way, is this policy the one used by IAM users, etc.?