Least privilege IAM policy for an application on AWS

14642 views

                  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::codesnips-assets-production/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["kms:Decrypt"],
      "Resource": ["arn:aws:kms:us-east-1:123456789012:key/abcd-1234"]
    }
  ]
}

Cloud IAM mistakes become high-impact quickly, so I keep policies narrow and resource-scoped. Wildcards are convenient until they become an incident report. The baseline question is always the same: what exact actions on what exact resources does this workload need right now.

Kai Nakamura

More from Kai Nakamura

Least privilege IAM policy for an application on AWS

0 Comments

More from Kai Nakamura