Certified Security - Specialty

Sign Up Free or Log In to participate!

Use AWS managed IAM policy and restrict resource

Is it possible to use AWS managed IAM policy (e.g. AmazonS3ReadOnlyAccess) with resource restrictions? I often find that I want to restrict access to resources but there isn’t a easy way to say "read-only" w/o having to individually specify allowed actions. It would be nice to say "s3 read only" (AmazonS3ReadOnlyAccess) for resources matching certain bucket names. It seems like AWS managed policies can only be attached as is which allows access to "*".

2 Answers

No the AWS Managed IAM policies are managed by AWS, so you cannot change them or configure them as you are asking.

You need to create your own custom policies, and they do a tool to help with that: https://awspolicygen.s3.amazonaws.com/policygen.html or you can use their console UI, which has improved significantly over the years.

You can take advantage of the explicit deny by using AWS Managed policy with customer managed policy or inline policy attached to the same role to deny access all other resources except the ones you want to allow access to.


Ok, this sounds it should work. I’ll try it out. Thanks.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?