In our team, we have both our production and development stack in the same AWS account. These stacks are distinguished by their resource name. For example, we have a S3 bucket example-dev-bucket and example-prod-bucket . Al these resources are thus also distinguishable by their arn, e.g. arn:aws:s3:::example-dev-bucket and arn:aws:s3:::example-prod-bucket . Now I want to create an IAM role that grants access to all resources except for production resources.
To grant access to all resources is easy, I add a policy with the following statement
Effect: Allow
Action:
- '*'
Resource:
- '*'
After allowing all resources, I want to add a policy to deny the production resources. Only doing this for S3 resources works fine, like below.
Effect: Deny
Action:
- '*'
Resource:
- 'arn:aws:s3:::*-prod-*'
However, doing this for multiple services all at once, does not seem to be valid syntax. I have tried something like *-prod-* and arn:aws:*:*:*:*:*-prod-*.
A possible solution for me is to add each service just like I added the S3 service. However, it's easy to forget services. Rather I would just have a single line that includes all resources that have -prod- in their arn.
You can make use of wildcards in resource names to accomplish this.
For example, if you include the env terms like "Prod" and "Dev" in all your resources, you can create policies including those terms.
This could be a policy for a Dev role for DynamoDB:
{
"Version": "2012-10-17",
"Statement": {
[
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-1:account-id:*Dev*"
],
[
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-1:account-id:*Prod*"
]
}
}
You can do the same for S3 and any other service.
However, it's easy to forget services.
Without using tags, there isn't an easy way to cover all services with one policy. The wildcard can't be used in the place of the resource itself (ex :arn:aws:*)