amazon-web-servicesamazon-iamamazon-kmsssm

AWS IAM policy: Multiple Actions and Multiple Resources


It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one for param and one for key, it works.

{
    {
        "Action": [
            "ssm:GetParameter",
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC:parameter/myparam"
    },
    {
        "Action": [
            "kms:Decrypt"
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC::key/mykey"
    }
}

As per documentation, We can combine multiple actions and resources, If I combine the same as below, Does this work?

{
    {
        "Action": [
            "ssm:GetParameter",
            "kms:Decrypt"
        ],

        "Resource": [ 
            "MY-ARN:MY-ACC:parameter/myparam"
            "MY-ARN:MY-ACC::key/mykey"
        ],
        "Effect": "Allow"
    }

}

How the Actions to Resource mapping happens in this case? I couldn't find any documentation on this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html If I have associated resources or associed Actiosn then it makes sense, What is your comments on this?


Solution

  • If I combine the same as below, Does this work?

    Yes it does.

    To verify that I recreated your scenario with mykey and myparam and an inline policy added to an execution role of a test lambda.

    As a matter of fact, when you are using IAM console to create such permissions, the inline json policy created will have the second form, not the first one:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "kms:Decrypt",
                    "ssm:GetParameter"
                ],
                "Resource": [
                    "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                    "arn:aws:ssm:*:xxx:parameter/myparam"
                ]
            }
        ]
    }
    

    What's more the order of items in Actions to Resources is irrelevant. Thus you can also have (different action order):

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "ssm:GetParameter",
                    "kms:Decrypt"
                ],
                "Resource": [
                    "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                    "arn:aws:ssm:*:xxx:parameter/myparam"
                ]
            }
        ]
    } 
    

    This means that IAM will test the actions to resources only if a given resource supports them.

    The first form if often preferred, as it's easier to read and manage. If you put everything into one statement, its difficult to name such a statement, edit it and debug.