Understand what an AWS Managed Policy is and how a simple step can ensure you are using the appropriate one for your need
Have you ever googled AWS managed policies list? What about AWSLambdaExecute statements? Recently, once again, I found myself in a similar situation.
But let's start from the beginning.
What is an AWS Managed Policy?
From its documentation:
An AWS managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. (…) AWS managed policies are designed to provide permissions for many common use cases. (…) AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.
In short, it is a special kind of IAM Policy that is curated and maintained by AWS and enables you to move faster, focusing more on your code and less about permission, leaving the latter to the pros at AWS.
But how do you know if the service you are working with has a managed policy that you can use for your benefit?
Service Specific Managed Policies
Reading the documentation, of course! Let's say the service in question here is AWS Lambda. A quick google search reveals the "Identity-based IAM policies for Lambda" page. There, as you can see below, three different managed policies are suggested:
Let's say you now need to use Amazon Polly so your awesome bot can have an Alexa-like voice. Again, a quick search will take you to its documentation, which lists two managed policies:
Let's move to something more complex and powerful, like theAWS Systems Manager, a service so comprehensive that it almost feels like multiple services in one. Googling will show you there are multiple SSM related AWS Managed Policies to use. What are the statements of AmazonSSMPatchAssociation for instance?
You don't need to exercise your Google-fu
If you know what managed policy you need more information on, you are good: an AWS CLI is all you need. And a bit of copying and paste.
First you run aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMPatchAssociation. See the below:
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMPatchAssociation
{
"Policy": {
"PolicyName": "AmazonSSMPatchAssociation",
"PolicyId": "ANPAZKAPJZG4EWLEL5ZX7",
"Arn": "arn:aws:iam::aws:policy/AmazonSSMPatchAssociation",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Provide access to child instances for patch association operation.",
"CreateDate": "2020-05-13T16:00:42+00:00",
"UpdateDate": "2020-05-13T16:00:42+00:00",
"Tags": []
}
}
Take note of the DefaultVersionId value, v1 in this example. Now, we run aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonSSMPatchAssociation --version-id v1:
aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonSSMPatchAssociation --version-id v1
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:DescribeEffectivePatchesForPatchBaseline",
"Resource": "arn:aws:ssm:*:*:patchbaseline/*"
},
{
"Effect": "Allow",
"Action": "ssm:GetPatchBaseline",
"Resource": "arn:aws:ssm:*:*:patchbaseline/*"
},
{
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DescribePatchBaselines",
"Resource": "*"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2020-05-13T16:00:42+00:00"
}
}
Now we have what we were looking for, the Managed Policy statements. With that information in hand, we can make an informed decision aboutthis Policy matches the use case requirements.
Pro Tip
If you do that enough, this can quickly become a tedious process. So let's fix that. Below you can find a Bash function that takes an AWS Managed Policy name as a parameter and outputs all the information that you might need.
get-managed-policy() { POLICY_NAME="$1"; aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/$POLICY_NAME --version-id $(aws iam get-policy --policy-arn arn:aws:iam::aws:policy/$POLICY_NAME | jq -r '.Policy.DefaultVersionId') ; }
get-managed-policy AmazonSSMPatchAssociation
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:DescribeEffectivePatchesForPatchBaseline",
"Resource": "arn:aws:ssm:*:*:patchbaseline/*"
},
{
"Effect": "Allow",
"Action": "ssm:GetPatchBaseline",
"Resource": "arn:aws:ssm:*:*:patchbaseline/*"
},
{
"Effect": "Allow",
"Action": "tag:GetResources",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:DescribePatchBaselines",
"Resource": "*"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2020-05-13T16:00:42+00:00"
}
}
Another possible solution is to get access to all (currently) 973 AWS Managed Policies. The GitHub user Gene Wood was nice enough to write a gist with that list and the code he used to generate it. He also provided us with his code on how he generated it.
There is a problem, though. AWS is always releasing new services and features and this list was last updated almost 3 years ago. How can one have an always up-to-date list of all AWS Managed Policies and all of its statements?
Search No More
So I don't go over this pain again, and so others can also avoid it, I hacked together a simple website that, once a day, updates istself to make sure you have an accessible and updated list of all AWS Managed Policies right from your browser.
Introducing… awsmanagedpolicies.io!
awsmanagedpolicies.io is a simple-to-use, always up-to-date, accessible site that lists all of the AWS Managed Policies in a simple way, with a simple-but-it-works search bar to filter down the list
If you click any of the entries, it expands to show you the definition of said AWS Managed Policy:
If you just need a JSON file that always has the most recent list of AWS Managed Policies and its definitions you can bookmark this link instead!
Architecture
Of course, this website is 100% built on top of AWS and 100% Serverless! Its infrastructure was defined using CDK (TypeScript), and it contains, among other things, a lambda to fetch the latest AWS Managed Policies, an S3 Bucket to host the files, and a CloudFront distribution to serve the content to you.
As soon as I publish its code on GitHub and write an article on how was it to develop the site and how it works, I'll update this article with the links.
Conclusion
AWS Managed Policies are a great way to kick start your newest project. However, always make sure you are using the appropriate one. The best way to do it is verifying its statements via CLI or through the website awsmangedpolicies.io.
Full Disclosure
I decided to finally buy the domain, finalize the website, and write this article a few days ago. I started this project a year and half ago, give or take. Little did I know that today, there is an amazing solution to this problem, created by the AWS Hero Ian Mckay, called aws.permissions.cloud.
I highly recommend going to his site if you need more information than just a list of the AWS Managed Policies and their definitions, but also metrics like how many AWS Managed Policies are there, if a policy might expose a resource to the public, etc.
Top comments (0)