I notice that Ryan grants the Finance IAM group read only access to the entire AWS console, but with the AmazonS3FullAccess plus only the need to see the keys, would it be OK to just put place an inline policy for the
kms:Describe*",
"kms:Get*",
and
"kms:List*" permissions?
1 Answers
Hello Alec,
With Policies there are actions that you need the person to have, and actions that are needed to allow that.
For instance to read an object, the users may need to read the bucket content to find the object. When ever I need to design a tight policy I take a moment and reference the doco which often shows what support actions are needed. Look both by the Services, and by the genera Policy doco.
google: AWS policy actions
The fastest way to understand this is to create a policy and a test user, then start manipulating the Policies and see the effect. (hint: use two browsers or put the test user in an ‘incognito’ window)
Granting Read to all the Console is a simple way of being sure that the users can get to any services. That does not necessarily allow them to see all the details. For instance you may need to add List S3 buckets for them to see what is in the S3 console.
Keep in mind that there are policy actions that impact the access to the service, and actions that effect the visibility of the services, and some are only impacting on the console.
Your proposed policy look reasonable, but I would need to check for any other actions that are related, plus you need to consider the syntax of * vs. /* one is related to the services or object, and the other is things related to or things comprising the service or object.
Rusty
Moderator & Coach
Hi Rusty, thank you very much for the feedback. Assigning only the permissions I referenced in my original post as a custom policy allowed me to complete the exercise, but I definitely appreciate what you are saying here.