How to reduce the scope of the IAM policy?

[goenning]

Describe the issue

It seems like the current suggestion policy would give the role access to modify all SSM parameters.

Do you have any guidance on how to restrict it to be able to modify only the SSM parameters required by the DataProtection SDK?

Links

https://github.com/aws/aws-ssm-data-protection-provider-for-aspnet

[bhoradc]

Hello @goenning,

You can create IAM policies to restrict access to AWS Systems manager API operations/parameters.

For instance, if we want to allow PutParameter SSM operation for parameters that begin with put*, you can restrict this access at the parameter/resource level in IAM policy as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "rule1",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParametersByPath"
            ],
            "Resource": "arn:aws:ssm:<region>:<account-id>:parameter/put*"
        }
    ]
}

And then when you execute below snippet to create/update parameter to the parameter store, it will only insert parameter having Names starting with put*.

public async Task UpdateParameter()
  {
      using (var client = new AmazonSimpleSystemsManagementClient())
      {
          await client.PutParameterAsync(new PutParameterRequest()
          {
              Name = "putnewparameter",
              DataType = "text",
              Type = ParameterType.String,
              Value = "valueformyparameter",
              Overwrite = true
          });
      }
  }

You will find more information on the Systems manager parameter access on this user guide. Please let me know if this information helps or if you are looking for any other specific details.

Regards,
Chaitanya

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.