AWS IAM Policy
This page shows how to write Terraform for IAM Policy and write them securely.
aws_organizations_policy (Terraform)
The Policy in IAM can be configured in Terraform with the resource name aws_organizations_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_organizations_policy" "ScpPolicy1" {
name = "scp_account_protection"
description = "scp_account_protection"
content = <<POLICY
{
"Version": "2012-10-17",
resource "aws_organizations_policy" "scp-leave-org" {
name = "scp-leave-org"
description = "This SCP prevents users or roles in any affected account from leaving AWS Organizations, either directly as a command or through the console. "
content = file("polices/scp-leave-org.json")
type = "SERVICE_CONTROL_POLICY"
}
resource "aws_organizations_policy" "ScpPolicy1" {
name = "scp_root_account"
description = "This SCP prevents restricts the root user in an AWS account from taking any action, either directly as a command or through the console. "
content = <<POLICY
{
"Version": "2012-10-17",
resource "aws_organizations_policy" "default_allowed_services" {
name = "default-allowed-services"
description = "Defines a list of approved services. All other services, not included in the list are blocked"
content = <<EOL
{
"Version": "2012-10-17",
resource "aws_organizations_policy" "deny_root_account" {
name = "deny-root-account"
description = "Deny the root user from taking any action"
content = data.aws_iam_policy_document.deny_root_account.json
}
Parameters
-
arn
optional computed - string -
content
required - string -
description
optional - string -
id
optional computed - string -
name
required - string -
tags
optional - map from string to string -
type
optional - string
Explanation in Terraform Registry
Provides a resource to manage an AWS Organizations policy.
Tips: Best Practices for The Other AWS IAM Resources
In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_iam_account_password_policy
Ensure AWS IAM account password policies requires long passwords
It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.
CloudFormation Example
CloudFormation code does not have the related resource.
Frequently asked questions
What is AWS IAM Policy?
AWS IAM Policy is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform.
Where can I find the example code for the AWS IAM Policy?
For Terraform, the c0ldb00t3r/scripts, my-aws-org/aws-scp and nvettore/policytest source code examples are useful. See the Terraform Example section for further details.