Last active
March 28, 2024 17:42
-
-
Save sourcefrog/44f4e6ba2519d56898491c37e265f851 to your computer and use it in GitHub Desktop.
AWS IAM tips and traps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Negative condition keys like `StringNotLike` are *true* if the key is not present: so, if you want to allow something unless | |
a certain tag value is set, you will by default allow it if the tag is not present. You need to specifically match that too. | |
Some calls like DescribeSnapshots and DescribeImages will by default return resources not owned by your account, but | |
accessible to it (e.g. public); you might need to filter down to see only your own resources. | |
DeleteObject takes a parameter to delete a non-current object version, but you need a specific | |
`s3:DeleteObjectVersion` permission to use it. | |
Similarly, `PutObject` into a bucket with default object locks requires a permission to create the lock(??). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment