I'm currently working on IAM and Access and i'm switching from Roles to Permission Set (to use AWS SSO). I have many custom managed policies, that I can't use with Permission Sets now, so I'm using AWS managed policies such as: PowerUserAccess, ViewOnlyAccess etc.
Some of them are pretty close to what i need but have a bit too many actions. Let's take the PowerUserAccess example.
PowerUserAccess gives all GuardDuty action. I want to block all write actions. The perfect AWS managed policy for that is: GuardDutyReadOnlyAccess.
Is there an easy way to do that "substraction"?
PowerUserAccess - "Not"GuardDutyReadOnly?
such as:
ManagedPolicies:
- arn:....:PowerUserAccess
- arn:....:PowerUserAccess - 'not' arn:....:GuarddutyReadOnlyAccess
Or do i have to do an inline policy and reverting the GuarddutyPolicy? I would like to avoid Inline policies if possible.
Thanks!
It doesn't have to be inline, but you will have to created another policy. In your case you probably want to create a customer managed policy that denies the guard duty access, and attach that to the users (or even better, to the groups).
Be aware, there is a subtle side effect of doing a deny. If a deny exist it always wins, so if you decide you want to single out a user and grant him/her access to guard duty you'd have to be sure that the deny policy is NOT attached to that user. You can't just give them another policy that includes access.