0

As we all know, clicking a drop box is annoying. I've been trying to get a general policy stub (a stub that contains all Actions, not just globs) so I can quickly run through and allow / deny for our group policies.

I've looked through the CLI commands and am not seeing anything, I've also looked at the Policy Generator but it's either clicking everything or *:* which is bad...

Is there a way to generate a full stub, or somewhere online that someone has generated a full policy stub that I can use? Result should be something like this...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1496337889000",
            "Effect": "Allow",
            "Action": [
                "discovery:CreateTags",
                "discovery:DeleteTags",
                "discovery:DescribeAgents",
                "discovery:DescribeConfigurations",
                "discovery:DescribeExportConfigurations",
                "discovery:DescribeTags",
                "discovery:ExportConfigurations",
                "discovery:ListConfigurations",
                "discovery:StartDataCollectionByAgentIds",
                "discovery:StopDataCollectionByAgentIds"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1496337865000",
            "Effect": "Allow",
            "Action": [
                "batch:CancelJob",
                "batch:CreateComputeEnvironment",
                "batch:CreateJobQueue",
                "batch:DeleteComputeEnvironment",
                "batch:DeleteJobQueue",
                "batch:DeregisterJobDefinition",
                "batch:DescribeComputeEnvironments",
                "batch:DescribeJobDefinitions",
                "batch:DescribeJobQueues",
                "batch:DescribeJobs",
                "batch:ListJobs",
                "batch:RegisterJobDefinition",
                "batch:SubmitJob",
                "batch:TerminateJob",
                "batch:UpdateComputeEnvironment",
                "batch:UpdateJobQueue"
            ],
            "Resource": [
                "*"
            ]
        },

        .... etc ....

    ]
}
ehime
  • 597
  • 2
  • 7
  • 15

2 Answers2

1

As far as IAM is concerned you have to remember that an implicit deny is in place for each API action. If you want users/groups to have access you need to explicitly allow that action.

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

IAM Policy Evaluation

strongjz
  • 832
  • 4
  • 7
  • Plus one, yeah I understand. I'm more looking for a dump of all the available actions per service, if that makes sense? I was hoping there'd be a way to programmatically list everything. – ehime Jun 01 '17 at 21:29
1

There is not a programmatically-available list of all actions for all policies, but there does appear to be a one-stop place where all of the available policy actions for all services are documented, as well as their available condition keys. It's one service per page, but all the links are here:

AWS Service Actions and Condition Context Keys for Use in IAM Policies

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86