I want to create an IAM role with a read-only policy (arn:aws:iam::aws:policy/ReadOnlyAccess).
In order to prevent access to all objects on all buckets, I added a Deny section in Cloudformation template:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
I get a "MalformedPolicyDocument" error in the Deny section (Resource).
I already tested these options :
Resource: "*"
Resource: "arn:aws:s3:::/*"
Resource: "arn:aws:s3:::prefix-bucket*"
Do you have any idea about this syntax error ?
EDIT :
Error from Cloudformation :
Blockquote Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ......; Proxy: null) enter code here
CodePudding user response:
You seem to be missing the Policies
section.
Try something like this:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess