Granting Custom Permissions for Amazon Config Users - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Granting Custom Permissions for Amazon Config Users

Amazon Config policies grant permissions to users who work with Amazon Config. If you need to grant different permissions to users, you can attach a Amazon Config policy to an IAM group or to a user. You can edit the policy to include or exclude specific permissions. You can also create your own custom policy. Policies are JSON documents that define the actions a user is allowed to perform and the resources that the user is allowed to perform those actions on.

Read-only access

The following example shows a Amazon managed policy, AWSConfigUserAccess that grants read-only access to Amazon Config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "config:Get*", "config:Describe*", "config:Deliver*", "config:List*", "config:Select*", "tag:GetResources", "tag:GetTagKeys", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" } ] }

In the policy statements, the Effect element specifies whether the actions are allowed or denied. The Action element lists the specific actions that the user is allowed to perform. The Resource element lists the Amazon resources the user is allowed to perform those actions on. For policies that control access to Amazon Config actions, the Resource element is always set to *, a wildcard that means "all resources."

The values in the Action element correspond to the APIs that the services support. The actions are preceded by config: to indicate that they refer to Amazon Config actions. You can use the * wildcard character in the Action element, such as in the following examples:

  • "Action": ["config:*ConfigurationRecorder"]

    This allows all Amazon Config actions that end with "ConfigurationRecorder" (StartConfigurationRecorder, StopConfigurationRecorder).

  • "Action": ["config:*"]

    This allows all Amazon Config actions, but not actions for other Amazon services.

  • "Action": ["*"]

    This allows all Amazon actions. This permission is suitable for a user who acts as an Amazon administrator for your account.

The read-only policy doesn't grant user permission for the actions such as StartConfigurationRecorder, StopConfigurationRecorder, and DeleteConfigurationRecorder. Users with this policy are not allowed to start configuration recorder, stop configuration recorder, or delete configuration recorder. For the list of Amazon Config actions, see the Amazon Config API Reference.

Full access

The following example shows a policy that grants full access to Amazon Config. It grants users the permission to perform all Amazon Config actions. It also lets users manage files in Amazon S3 buckets and manage Amazon SNS topics in the account that the user is associated with.

Note

This policy grants broad permissions. Before granting full access, consider starting with a minimum set of permissions and granting additional permissions as necessary. Doing so is better practice than starting with permissions that are too lenient and then trying to tighten them later.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sns:AddPermission", "sns:CreateTopic", "sns:DeleteTopic", "sns:GetTopicAttributes", "sns:ListPlatformApplications", "sns:ListTopics", "sns:SetTopicAttributes" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketNotification", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListRoles", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:CreateServiceLinkedRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "config.amazonaws.com", "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "config:*", "tag:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument", "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListDocuments", "ssm:StartAutomationExecution" ], "Resource": "*" } ] }

Controlling User Permissions for Actions on Multi-Account Multi-Region Data Aggregation

You can use resource-level permissions to control a user's ability to perform specific actions on multi-account multi-region data aggregation. The following Amazon Config Aggregator APIs support resource level permissions:

For example, you can restrict access to resource data from specific users by creating two aggregators AccessibleAggregator and InAccessibleAggregator and attaching an IAM policy that allows access to AccessibleAggregator but denies access to InAccessibleAggregator.

IAM Policy for AccessibleAggregator

In this policy, you allow access to the supported aggregator actions for the Amazon Config Amazon Resource Name (ARN) that you specify. In this example, the Amazon Config ARN is arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigAllow", "Effect": "Allow", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs" } ] }

IAM Policy for InAccessibleAggregator

In this policy, you deny access to the supported aggregator actions for the Amazon Config ARN that you specify. In this example, the Amazon Config ARN is arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigDeny", "Effect": "Deny", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx" } ] }

If a user of the developer group tries to perform any of these actions on the Amazon Config ARN that you specified, that user will get an access denied exception.

Checking User Access Permissions

To show the aggregators that you have created, run the following Amazon CLI command:

aws configservice describe-configuration-aggregators

When command has successfully completed, you will be able to see the details for all the aggregators associated with your account. In this example, those are AccessibleAggregator and InAccessibleAggregator:

{ "ConfigurationAggregators": [ { "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs", "CreationTime": 1517942461.442, "ConfigurationAggregatorName": "AccessibleAggregator", "AccountAggregationSources": [ { "AllAwsRegions": true, "AccountIds": [ "AccountID1", "AccountID2", "AccountID3" ] } ], "LastUpdatedTime": 1517942461.455 }, { "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx", "CreationTime": 1517942461.442, "ConfigurationAggregatorName": "InAccessibleAggregator", "AccountAggregationSources": [ { "AllAwsRegions": true, "AccountIds": [ "AccountID1", "AccountID2", "AccountID3" ] } ], "LastUpdatedTime": 1517942461.455 } ] }
Note

For account-aggregation-sources enter a comma-separated list of Amazon account IDs for which you want to aggregate data. Wrap the account IDs in square brackets, and be sure to escape quotation marks (for example, "[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]").

Attach the following IAM policy to deny access to InAccessibleAggregator, or the aggregator to which you want to deny access.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigDeny", "Effect": "Deny", "Action": [ "config:BatchGetAggregateResourceConfig", "config:DeleteConfigurationAggregator", "config:DescribeAggregateComplianceByConfigRules", "config:DescribeAggregateComplianceByConformancePacks", "config:DescribeConfigurationAggregatorSourcesStatus", "config:GetAggregateComplianceDetailsByConfigRule", "config:GetAggregateConfigRuleComplianceSummary", "config:GetAggregateConformancePackComplianceSummary", "config:GetAggregateDiscoveredResourceCounts", "config:GetAggregateResourceConfig", "config:ListAggregateDiscoveredResources", "config:PutConfigurationAggregator", "config:SelectAggregateResourceConfig" ], "Resource": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx" } ] }

Next, you can confirm that the IAM policy works for restricting access to rules for a specific aggregator:

aws configservice get-aggregate-compliance-details-by-config-rule --configuration-aggregator-name InAccessibleAggregator --config-rule-name rule name --account-id AccountID --aws-region AwsRegion

The command should return an access denied exception:

An error occurred (AccessDeniedException) when calling the GetAggregateComplianceDetailsByConfigRule operation: User: arn:aws:iam::AccountID:user/ is not authorized to perform: config:GetAggregateComplianceDetailsByConfigRule on resource: arn:aws:config:AwsRegion-1:AccountID:config-aggregator/config-aggregator-pokxzldx

Additional Information

To learn more about creating IAM users, groups, policies, and permissions, see Creating Your First IAM User and Administrators Group and Access Management in the IAM User Guide.