I am trying to understand resource based policy in IAM.
I understand : it is attached to a resource like s3,KMS, secrets manager etc.
My question is what is the significance Resource in a resource based policy.
For example a permission policy for AWS secrets manager(https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-resource-policy/)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:*",
"Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
"Resource": "*"
}
]
}
Here the Resource is * or the resource can be the ARN of the secrets manager. (Is there any other value allowed in this case ? ) For S3 I can think of the root bucket or other prefixes.
So my question is what is the use case for Resource here ? Please let me know if I am reading it wrong.
Thanks in advance.
CodePudding user response:
Looking in the User Guide, you can see:
Resource: which secrets they can access. See Secrets Manager resources.
The wildcard character (*) has different meaning depending on what you attach the policy to:
- In a policy attached to a secret, * means the policy applies to this secret.
- In a policy attached to an identity, * means the policy applies to all resources, including secrets, in the account.
So in the case where it is attached to the secret, it effectively has no meaning that differs from *
, but it is when you attach it to an identity that it becomes more useful. Then you can give differing identities different action permissions on various secrets.
CodePudding user response:
Resource is the resource that the policy refers to. It allows for more fine grained control over policies.
Take an example- You host several DynamoDB tables, each of which have multiple indexes. You want to grant users in group A access to some of the tables, along with their indexes.
You want to give users in group B access to a single table, but none of the indexes.
And you want to give users in group C access to a single table, along with all 3 of its indexes.
When you specify the resource
in the policy for group A
"resource": ["arn::<table-a-arn>/","arn::<table-b-arn>/","arn::<table-b-arn>/index/gsi1"]
The resource policy for group B "resource": "arn::<table-c-arn>/"
And for group C "resource": ["arn::<table-a-arn>/","arn::<table-a-arn>/index/*"]
Another use case if for explicit denies. An explicit deny always overrides an implicit allow. If you grant full access to EC2 in an account with a policy with EC2 permissions with "resource": *
but there is a single instance that you want to limit access to by the entity to which you are applying the policy you would also add a deny statement to the policy with "resource": <some-super-private-instance>