12

It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one for param and one for key, it works. 

{
    {
        "Action": [
            "ssm:GetParameter",
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC:parameter/myparam"
    },
    {
        "Action": [
            "kms:Decrypt"
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC::key/mykey"
    }
}

As per documentation, We can combine multiple actions and resources, If I combine the same as below, Does this work? 

{
    {
        "Action": [
            "ssm:GetParameter",
            "kms:Decrypt"
        ],

        "Resource": [ 
            "MY-ARN:MY-ACC:parameter/myparam"
            "MY-ARN:MY-ACC::key/mykey"
        ],
        "Effect": "Allow"
    }

}

How the Actions to Resource mapping happens in this case? I couldn't find any documentation on this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html If I have associated resources or associed Actiosn then it makes sense, What is your comments on this?

Krishna
  • 501
  • 1
  • 8
  • 17

1 Answers1

14

If I combine the same as below, Does this work?

Yes it does.

To verify that I recreated your scenario with mykey and myparam and an inline policy added to an execution role of a test lambda.

As a matter of fact, when you are using IAM console to create such permissions, the inline json policy created will have the second form, not the first one:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                "arn:aws:ssm:*:xxx:parameter/myparam"
            ]
        }
    ]
}

What's more the order of items in Actons to Resources is irrelevant. Thus you can also have (different action order):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                "arn:aws:ssm:*:xxx:parameter/myparam"
            ]
        }
    ]
}

This means that IAM will test the actions to resources only if a given resource supports them.

The first form if often preferred, as its easier to read and manage. If you put everything into one statement, its difficult to name such a statement, edit it and debug.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • @Krishna No problem. Hope it helps to clarify the issue. – Marcin May 22 '20 at 03:32
  • Hi Marcin - Just a question: if I have parameters say myparam1 and myparam2, In resource section, If I have below line, "MY-ARN:MY-ACC:parameter/myparam/*" I believe 'getParameter' will get access to both parameters. But what about this line, "MY-ARN:MY-ACC:parameter/myparam*" Will 'getParameter' get access both parameters? – Krishna May 22 '20 at 22:02