It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one for param and one for key, it works.
{
{
"Action": [
"ssm:GetParameter",
],
"Effect": "Allow",
"Resource": "MY-ARN:MY-ACC:parameter/myparam"
},
{
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "MY-ARN:MY-ACC::key/mykey"
}
}
As per documentation, We can combine multiple actions and resources, If I combine the same as below, Does this work?
{
{
"Action": [
"ssm:GetParameter",
"kms:Decrypt"
],
"Resource": [
"MY-ARN:MY-ACC:parameter/myparam"
"MY-ARN:MY-ACC::key/mykey"
],
"Effect": "Allow"
}
}
How the Actions to Resource mapping happens in this case? I couldn't find any documentation on this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html If I have associated resources or associed Actiosn then it makes sense, What is your comments on this?
If I combine the same as below, Does this work?
Yes it does.
To verify that I recreated your scenario with mykey
and myparam
and an inline policy added to an execution role of a test lambda.
As a matter of fact, when you are using IAM console to create such permissions, the inline json policy created will have the second form, not the first one:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
"arn:aws:ssm:*:xxx:parameter/myparam"
]
}
]
}
What's more the order of items in Actions
to Resources
is irrelevant. Thus you can also have (different action order):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
"arn:aws:ssm:*:xxx:parameter/myparam"
]
}
]
}
This means that IAM will test the actions to resources only if a given resource supports them.
The first form if often preferred, as it's easier to read and manage. If you put everything into one statement, its difficult to name such a statement, edit it and debug.