AWS IAM Policy Attachment
This page shows how to write Terraform and CloudFormation for IAM Policy Attachment and write them securely.
aws_iam_policy_attachment (Terraform)
The Policy Attachment in IAM can be configured in Terraform with the resource name aws_iam_policy_attachment. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_iam_policy_attachment" "APIGatewayServiceRolePolicy" {
name = "APIGatewayServiceRolePolicy"
policy_arn = "arn:aws:iam::aws:policy/aws-service-role/APIGatewayServiceRolePolicy"
}
resource "aws_iam_policy_attachment" "AWSAccountActivityAccess" {
resource "aws_iam_policy_attachment" "APIGatewayServiceRolePolicy" {
name = "APIGatewayServiceRolePolicy"
policy_arn = "arn:aws:iam::aws:policy/aws-service-role/APIGatewayServiceRolePolicy"
}
resource "aws_iam_policy_attachment" "AWSAccountActivityAccess" {
resource "aws_iam_policy_attachment" "AWSCodePipelineServiceRole-eu-west-1-symfony-demo-policy-attachment" {
name = "AWSCodePipelineServiceRole-eu-west-1-symfony-demo-policy-attachment"
policy_arn = "arn:aws:iam::755827290206:policy/service-role/AWSCodePipelineServiceRole-eu-west-1-symfony-demo"
groups = []
users = []
roles = ["AWSCodePipelineServiceRole-eu-west-1-symfony-demo"]
Parameters
-
groupsoptional - set of string -
idoptional computed - string -
namerequired - string -
policy_arnrequired - string -
rolesoptional - set of string -
usersoptional - set of string
Explanation in Terraform Registry
Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) !> WARNING: The aws_iam_policy_attachment resource creates exclusive attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider
aws_iam_role_policy_attachment,aws_iam_user_policy_attachment, oraws_iam_group_policy_attachmentinstead. These resources do not enforce exclusive attachment of an IAM policy.NOTE: The usage of this resource conflicts with the
aws_iam_group_policy_attachment,aws_iam_role_policy_attachment, andaws_iam_user_policy_attachmentresources and will permanently show a difference if both are defined. NOTE: For a given role, this resource is incompatible with using theaws_iam_roleresourcemanaged_policy_arnsargument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and Terraform will show a permanent difference.
Tips: Best Practices for The Other AWS IAM Resources
In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_iam_account_password_policy
Ensure AWS IAM account password policies requires long passwords
It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.
AWS::IAM::Policy (CloudFormation)
The Policy in IAM can be configured in CloudFormation with the resource name AWS::IAM::Policy. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::IAM::Policy
Properties:
PolicyName: LambdaFunctionPolicy
Roles:
- !Ref 'LambdaRole'
PolicyDocument:
Type: AWS::IAM::Policy
Properties:
PolicyName: CmsFrontsPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
Type: "AWS::IAM::Policy"
DependsOn: SSODashboardRole
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
Type: AWS::IAM::Policy
Properties:
PolicyName: ${self:service}_s3_public_policy_${self:provider.stage}
Roles:
- !Ref AuthRole
PolicyDocument:
Type: AWS::IAM::Policy
Properties:
PolicyName: serverless-event-logging
PolicyDocument:
Version: "2012-10-17"
Statement:
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": {
"Ref": "s3PublicPolicy"
},
"Roles": [
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "superadmin-group-s3-policy",
"Roles": [
{
"Fn::Join": [
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": {
"Ref": "s3PublicPolicy"
},
"Roles": [
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": {
"Ref": "s3PublicPolicy"
},
"Roles": [
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": {
"Ref": "s3PublicPolicy"
},
"Roles": [
Parameters
-
Groupsoptional - List -
PolicyDocumentrequired - Json -
PolicyNamerequired - String -
Rolesoptional - List -
Usersoptional - List
Explanation in CloudFormation Registry
Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.
An IAM user can also have a managed policy attached to it. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
For information about limits on the number of inline policies that you can embed in an identity, see Limitations on IAM Entities in the IAM User Guide.
Frequently asked questions
What is AWS IAM Policy Attachment?
AWS IAM Policy Attachment is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS IAM Policy Attachment?
For Terraform, the mortyre/misc, mortyre/misc and tappoflw/tappo1 source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the victorsalaun/skillbrowser-aws-serverless, guardian/front-pressed-lambda and mozilla-iam/sso-dashboard source code examples are useful. See the CloudFormation Example section for further details.
