0

In the spirit of providing least privilege permissions I often find myself hunting down required permissions to complete a specific task or providing others with access. Access denial messages in AWS are usually pretty good and list the required permissions. However other times the error message can be vague, especially when one service is dependent on another. Is there a better way than trying to complete an action and granting required permissions one by one? Does a list or some sort of tool exist?

cloudy-cloud
  • 1
  • 2
  • Turn on Cloud Trail and you can look through the cloud trail logs to see denied actions, probably based on the `userIdentity.arn` field along with `eventName`. You. can also look into https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html#what-is-access-analyzer-policy-generation – erik258 Oct 21 '22 at 13:59
  • Refining IAM policies as an administrator is common. AWS has some documentation regarding refining policies with [AWS Access Advisor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html). – TheDataScienceNinja Oct 21 '22 at 14:03
  • To add to what @TheDataScienceNinja said - Access Analyzer actually offers the [capability](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html). – sudo Oct 21 '22 at 14:33
  • Thanks all! I appreciate the responses. – cloudy-cloud Oct 21 '22 at 16:34

1 Answers1

0

AWS now has AWS Access Analyser that can be used to generate IAM policies based iam user/roles.

Here is the documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

You can also use AWS CLI as well to generate policies based on IAM activity:

aws accessanalyzer start-policy-generation --policy-generation-details

and then, get the generated policies:

aws accessanalyzer get-generated-policy --job-id <>

another way, you can use user's access activity from AWS console and see what that user has been using and not using, and on basis of that you can create your policies.

Ravish
  • 2,383
  • 4
  • 37
  • 55