AWS CloudFormation template

0
votes

I am trying to understand the below policy

 Policies:
    - PolicyName: InstanceIAMPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'ssm:DescribeAssociation'
              - 'ssm:GetDeployablePatchSnapshotForInstance'
              - 'ssm:GetDocument'
              - 'ssm:GetManifest'
              - 'ssm:GetParameters'
              - 'ssm:ListInstanceAssociations'
              - 'ssm:PutComplianceItems'
              - 'ssm:PutConfigurePackageResult'
              - 'ssm:UpdateAssociationStatus'
              - 'ssm:UpdateInstanceAssociationStatus'
              - 'ssm:UpdateInstanceInformation'
            Resource: '*'
            Effect: Allow
            Action:
              - 'ec2messages:AcknowledgeMessage'
              - 'ec2messages:FailMessage'
              - 'ec2messages:GetEndpoint'
              - 'ec2messages:GetMessages'
              - 'ec2messages:SendReply'
            Resource: '*'

My question is related to resource parameter mentioned as *. Does that mean that the actions can be performed on any resource within your AWS infrastructure ? I am really new to CloudFormation templates and AWS. Thanks for your help.

2
amazon-web-servicesamazon-cloudformation

2 Answers

1
votes

The short answer is YES.

In your template you have two sections under Statements. Each section is defining "allow" actions. For each section you are "allowing" the APIs for ALL RESOURCES. The first section is for SSM and the second is for SSM EC2Messages.

Note: based upon the allow actions, you can merge those two sections together.

This link will help you with CloudFormation Templates:

Working with AWS CloudFormation Templates

1
votes

The CloudFormation template in your question is creating an IAM policy. Your question is really about how wildcards work in IAM policies. The * wildcard in an IAM policy Resource element means that something with this IAM policy applied to it can perform the listed actions against any resource in your AWS account.

The policy appears to be a policy you would apply to an EC2 instance profile to allow the AWS SSM agent to perform any SSM tasks on that EC2 instance. Since thee resource is specifie as the * wildcard then the SSM agent could, for example, download any SSM document you send it (ssm:GetDocument). This basically allows the SSM agent to work correctly on the EC2 instance, without requiring you to grant it specific access to each thing you need it to do, every time you trigger it in the future.