Identity-based policy examples for Amazon AppFlow - Amazon AppFlow

Identity-based policy examples for Amazon AppFlow

By default, IAM users and roles don't have permission to create or modify Amazon AppFlow resources. They also can't perform tasks using the AWS Management Console, AWS CLI, or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies to the IAM users or groups that require those permissions.

To learn how to create an IAM identity-based policy using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon AppFlow resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started using AWS managed policies – To start using Amazon AppFlow quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get started using permissions with AWS managed policies in the IAM User Guide.

  • Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

  • Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

  • Use policy conditions for extra security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Example 1: Allow IAM users full administrator access to Amazon AppFlow

This policy example provides full access to Amazon AppFlow, to all AWS services that are available as flow sources or destinations, and to AWS Key Management Service (AWS KMS).

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "appflow:*", "Resource": "*" }, { "Sid": "ListRolesForRedshift", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*" }, { "Sid": "KMSListAccess", "Action": [ "kms:ListKeys", "kms:DescribeKey", "kms:ListAliases" ], "Effect": "Allow", "Resource": "*" }, { "Sid": "KMSGrantAccess", "Effect": "Allow", "Action": [ "kms:CreateGrant" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "appflow.*" }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "KMSListGrantAccess", "Effect": "Allow", "Action": [ "kms:ListGrants" ], "Resource": "*", "Condition": { "StringLike": { "kms:ViaService": "appflow.*" } } }, { "Sid": "S3ReadAccess", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketPolicy" ], "Resource": "*" }, { "Sid": "S3PutBucketPolicyAccess", "Effect": "Allow", "Action": [ "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::appflow-*" }, { "Sid": "SecretsManagerCreateSecretAccess", "Effect": "Allow", "Action": "secretsmanager:CreateSecret", "Resource": "*", "Condition": { "StringLike": { "secretsmanager:Name": "appflow!*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": [ "" ] } } }, { "Sid": "SecretsManagerPutResourcePolicyAccess", "Effect": "Allow", "Action": [ "secretsmanager:PutResourcePolicy" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "" ] }, "StringEqualsIgnoreCase": { "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "appflow" } } } ] }

Example 2: Allow IAM users read-only access to Amazon AppFlow

This policy example provides read-only access to Amazon AppFlow.

For definitions of each action, see Actions defined by Amazon AppFlow.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appflow:DescribeConnectors", "appflow:DescribeConnectorProfiles", "appflow:DescribeFlows", "appflow:DescribeFlowExecution", "appflow:DescribeConnectorFields", "appflow:ListConnectorFields", "appflow:ListTagsForResource" ], "Resource": "*" } ] }

Example 3: Grant access to permission-only actions

If you use a custom policy to grant users permission to use Amazon AppFlow instead of the managed policies provided, you need to include specific permissions for the user or role to perform specific actions. For example, if the user or role needs to add or update a flow, the policy attached to the user or role must include permission to use the UseConnectorProfile permission-only action so that the user has permission to use the connection specified for the flow. You can specify that the user is allowed to use all connector profiles, or only a specific connector profile. The following example policy statement demonstrates how to grant access only to a specific connector profile by specifying the ARN to the connector profile named test-profile in the account 123456789012. You can modify this policy statement and include it in a custom policy for your environment, but this statement grants permission only to use the connector profile. The user or role needs additional permissions to perform other Amazon AppFlow actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectionProfile", "Effect": "Allow", "Action": "appflow:UseConnectorProfile", "Resource": "arn:aws:appflow:us-east-1:123456789012:connectorprofile/test-profile" } ] }

Example 4: Allow users to view their own permissions

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }