3

I work in an organization where the IAM is managed by a team and I have to ask them to add specific permissions for me to be able to perform a work. And they will never give anyone full access for a specific service, and I fully agree with that stance. What I have often faced is that I have to make multiple requests at multiple iteration. Because as I get a permission error and get that fixed, I face more permission issues. What is the easiest way to know which permissions I will need beforehand?

Shahad Ishraq
  • 341
  • 2
  • 11
  • Your required permissions are directly related to the API calls being made. Are you calling AWS from your own app? Are are you just using it from the management console? – John Rotenstein Jul 08 '21 at 06:20
  • Let’s say I’m setting something up for the first time through the management console – Shahad Ishraq Jul 08 '21 at 08:24
  • 1
    Management Console permissions are HARD. Depending upon the service, the console often retrieves a lot of data, such as counts, statuses, names, statistics, etc. There's no real way to predict what underlying API calls it will make. You could try going to the console, then waiting a few minutes and looking at the logs in **AWS CloudTrail**, which _should_ list the API calls made by the console. That would give you an idea of the permissions that are required. – John Rotenstein Jul 08 '21 at 08:41

1 Answers1

0

It depends on what you are trying to achieve with any specific service.

To know what permissions, you need you need to understand what operations you are planning to perform for the said resource by given Principal.

for e.g. for below policy you are only allowing the PutObjectand PutObjectAcl for given Resource (i.e. awsexamplebucket1 s3 bucket) and its given to Principal (i.e. IAM user Dave).

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "statement1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::12345678901:user/Dave"
        },
        "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
        ],
        "Resource": "arn:aws:s3:::awsexamplebucket1/*"
    }
]

}

follow the PARC model for any service access (Principal, Action, Resource, Condition).

Read more about this at policies and permissions

Sangam Belose
  • 4,262
  • 8
  • 26
  • 48
  • 1
    Creating an exhaustive list before getting the work done can be tough sometimes. Let’s say want to create an PinPoint event stream that streams to Kinesis firehose which then flashes the data into S3. If I try to set these up through the management console, I will need permissions for some actions that are not trivially guessed. For example creating and attaching a role, or listing roles to be attached to a Lambda. It often become cumbersome to scroll through the list of all possible actions in a service and choose the necessary ones. – Shahad Ishraq Jul 08 '21 at 08:32
  • There is another approach to that. when you are in development, use aws managed policies and try to build happy flow for your application (non-prod) and then go for the least access mechanism using custom policy. or if your use case is common then you may find template for that. but I dont see any ready solution which will applicable in all cases. – Sangam Belose Jul 08 '21 at 13:16