2

I'm pretty new to AWS so please bear with me.

I currently have this ecs.yaml: 

...
ECSSendMessageToSQSRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Effect: Allow
        Principal:
          Service:
            - ecs-tasks.amazonaws.com
        Action: sts:AssumeRole
    Policies:
      - PolicyName: ecs-service
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - ssm:*
                - s3:*
              Resource: '*'

As you can see, the Policy allows our role to access ALL S3 buckets and ALL SSM functionality.

I would like to change the permissions in such a way that:

  • S3 Buckets: All actions allowed if we own the bucket.
  • SSM: just allow a certain action called GetParameter, for example.

Any orientation on how to tackle this would be greatly appreciated.

Xar
  • 123
  • 4

1 Answers1

1

Like this?

    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - ssm:GetParameter
          Resource: '*'
        - Effect: Allow
          Action:
            - s3:*
          Resource: 
            - 'arn:aws:s3:::the-bucket'
            - 'arn:aws:s3:::the-bucket/*'

Check out the S3 ARN docs for more details on ARN format.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81