Generating a policy based on access activity

You can use the access activity recorded in AWS CloudTrail for an IAM user or IAM role to have IAM Access Analyzer generate a customer managed policy to allow access to only the services that specific users and roles need.

When IAM Access Analyzer generates an IAM policy, information is returned to help you to further customize the policy. Two categories of information can be returned when a policy is generated:

• Policy with action-level information – For some AWS services, such as Amazon EC2, IAM Access Analyzer can identify the actions found in your CloudTrail events and lists the actions used in the policy it generates. For a list of supported services, see IAM Access Analyzer policy generation services. For some services, IAM Access Analyzer prompts you to add actions for the services to the generated policy.

• Policy with service-level information – IAM Access Analyzer uses last accessed information to create a policy template with all of the recently used services. When using the AWS Management Console, we prompt you to review the services and add actions to complete the policy.

To generate a policy based on access activity

In the following procedure we are going to reduce the permissions given to a role to match the usage of a user. When you choose a user, choose a user whose usage exemplifies the role. Many customers set up test user accounts with PowerUser permissions and then have them do a specific set of tasks for a short time period to determine what access is necessary to perform those tasks,

Console

1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to AWS in the AWS Sign-In User Guide.

2. On the IAM Console Home page, in the left navigation pane, enter your query in the Search IAM text box.

3. In the navigation pane, choose Users and then choose the user name to go to the user details page.

4. On Permissions tab, under Generate policy based on CloudTrail events, choose Generate policy.

5. On the Generate policy page, configure the following items:

   • For Select time period, choose Last 7 days.

   • For CloudTrail trail to be analyzed, select the Region and trail where this user's activity is recorded.

   • Choose Create and use a new service role.

6. Choose Generate policy then wait until the role is created. Don't refresh or navigate away from the console page until the Policy generation in progress notification message appears.

7. After the policy is generated, you must review and customize it as needed with the account IDs and ARNs for resources. In addition, the automatically generated policy might not include the action-level information need to complete the policy. For more information see, IAM Access Analyzer policy generation.

   For example, you might edit the first statement that includes the Allow effect and the NotAction element to allow only Amazon EC2 and Amazon S3 actions. To do this, replace it with the statement with the FullAccessToSomeServices ID. Your new policy could look like the following example policy.

   JSON

   JSON

   {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "FullAccessToSomeServices",
             "Effect": "Allow",
             "Action": [
                 "ec2:*",
                 "s3:*"
             ],
             "Resource": "*"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "iam:CreateServiceLinkedRole",
                 "iam:DeleteServiceLinkedRole",
                 "iam:ListRoles",
                 "organizations:DescribeOrganization"
             ],
             "Resource": "*"
         }
     ]
   }
   

8. To support the best practice of granting least privilege, review and correct any errors, warnings, or suggestions returned during policy validation.

9. To further reduce your policies' permissions to specific actions and resources, view your events in CloudTrail Event history. There you can view detailed information about the specific actions and resources that your user has accessed. For more information, see Viewing CloudTrail Events in the CloudTrail Console in the AWS CloudTrail User Guide.

10. After reviewing and validating your policy, save it with a descriptive name.

11. Navigate to the Roles page and choose the role that people will assume when they perform the tasks permitted by your new policy.

12. Select the Permissions tab, and then choose Add permissions and select Attach policies.

13. On the Attach permission policies page, in the Other permissions policies list, select the policy you created, then choose Attach policies.

14. You are returned to the Role details page. there are two policies attached the role, your previous AWS managed policy, such as PowerUserAccess, and your new policy. Select the checkbox for the AWS managed policy and then choose Remove. When asked to confirm removal, choose Remove.

IAM users, SAML and OIDC federated principals, and workloads who assume this role now have reduced access according to the new policy you created.

AWS CLI

You can use the following commands to generate a policy using the AWS CLI.

To generate a policy

• aws accessanalyzer start-policy-generation

To view a generated policy

• aws accessanalyzer get-generated-policy

To cancel a policy generation request

• aws accessanalyzer cancel-policy-generation

To view a list of policy generation requests

• aws accessanalyzer list-policy-generations

API

You can use the following operations to generate a policy using the AWS API.

To generate a policy

• StartPolicyGeneration

To view a generated policy

• GetGeneratedPolicy

To cancel a policy generation request

• CancelPolicyGeneration

To view a list of policy generation requests

• ListPolicyGenerations