Is it possible to use AWS managed IAM policy (e.g. AmazonS3ReadOnlyAccess) with resource restrictions? I often find that I want to restrict access to resources but there isn’t a easy way to say "read-only" w/o having to individually specify allowed actions. It would be nice to say "s3 read only" (AmazonS3ReadOnlyAccess) for resources matching certain bucket names. It seems like AWS managed policies can only be attached as is which allows access to "*".
2 Answers
No the AWS Managed IAM policies are managed by AWS, so you cannot change them or configure them as you are asking.
You need to create your own custom policies, and they do a tool to help with that: https://awspolicygen.s3.amazonaws.com/policygen.html or you can use their console UI, which has improved significantly over the years.
You can take advantage of the explicit deny by using AWS Managed policy with customer managed policy or inline policy attached to the same role to deny access all other resources except the ones you want to allow access to.
Ok, this sounds it should work. I’ll try it out. Thanks.