Best practice for creating a broad read-only IAM role

Question

We are trying to streamline our IAM roles into major user tasks and require a role with broad-reaching (but not comprehensive) read-only access.

Trying to write each service and action individually in a custom policy results in a massive policy size, well over the maximum size limit. Condensing these use actions such as Get* doesn't get it anywhere near close still.

We have found the [ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html) managed policy, but this is far too broad and grants permissions to services such as Billing, KMS etc.

What are the best practices around trying to design a role such as this? We have other similar roles with further expanded permissions planned on top of this, is there an easier way to create these roles or is this simply not the best way to divide role responsibility?

Accepted Answer

Hello.

I thought, how about setting ReadOnlyAccess and using a Permissions boundary to allow only the necessary services?  
For example, if you set ReadOnlyAccess in the IAM policy and set the following Permissions boundary, you can only allow reading to EC2.  
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "test",
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}
```

Best practice for creating a broad read-only IAM role

Relevant content