amazon-web-services amazon-iam aws-parameter-store aws-iam-policy

IAM Policy for Parameter Store using Parameter tag

I am quite new to whole AWS ecosystem so please bear with me. I am trying to come up with IAM policy by which I will allow certain groups to manage parameters in AWS Systems Manager Parameter Store.

I will have group for each "supplier" and they will have the opportunity to manage (get, update, remove) only parameters with corresponding tag.

Supplier1 -> parameter1 with tag Supplier:Supplier1 // with tag name Supplier and tag value Supplier1
Supplier1 -> parameter2 with tag Supplier:Supplier1
Supplier2 -> parameter3 with tag Supplier:Supplier2
Supplier2 -> parameter4 with tag Supplier:Supplier2
Supplier3 -> parameter5 with tag Supplier:Supplier3

So supplier1 would be able to get parameter1 & parameter2 and also would have the option to edit or even delete this parameter, same goes to other suppliers and their corresponding parameters.

I came up with this kind of policy definition. I assigned it to user Supplier1 and than I created parameter in Parameter Store (using my root account) that i tagged with tag name Supplier and value Supplier1.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*"
        }
    ]
}

But when I log as Supplier1 I can see all tags that are created (due to DescribeParameters because I could not figure out if it is possible to filter by tags) but after clicking on required parameter I get: User: arn:aws:iam::XXXXXXXXXXXX:user/Supplier1 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-north-1:XXXXXXXXXXXX:parameter/dev/ai/parameter1 with an explicit deny in an identity-based policy error.

Could you please help me out?

Thanks in advance :)

Solution

The issue here is that your Deny policy overrides all Allow policies because in AWS IAM, an explicit deny always has precedence over an allow. Check the documentation to learn more about the AWS IAM policy evaluation logic.

Try the following policy instead:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        }
    ]
}