New IAM Role DenyWrite - Githubissues

missionfocus / auto-aws

This repository contains CDK code to manage and automatically update our AWS infrastructure.

Apache License 2.0

1 stars 0 forks source link

New IAM Role DenyWrite #4

Open andreweick opened 2 years ago

andreweick commented 2 years ago

I was trying to use the "AWSReadOnlyAccess" role. The Role let my users "list buckets" but not the contents of the buckets.

Instead of ReadOnly, I'd like to add a "S3DenyWrite" role.

This Role will Deny anyone from Deleting, writing or changing files. (Mostly AWSReadOnlyAccess with added ability to read the files)

I think this would be a good because it will document how to create the role, add it to the accounts, and then add users into the roles.

Thoughts @hoegertn ?

hoegertn commented 2 years ago

Reading objects in S3 should be possible with the ReadOnlyAccess permission set instead of the AWSReadOnlyAccess as it uses the ReadOnly policy instead of the ViewOnly policy.

Would this be enough?

andreweick commented 2 years ago

Yes, it should be, let me check it out