Identity-based policies for AWS BugBust - AWS BugBust

Identity-based policies for AWS BugBust

By default, users and roles don't have permission to create or modify AWS BugBust resources. They also can't perform tasks by using the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS API. An IAM administrator must create IAM policies that grant users and roles permission to perform actions on the resources that they need. The administrator must then attach those policies for users that require them.

To learn how to create an IAM identity-based policy by using these example JSON policy documents, see Creating IAM policies in the IAM User Guide.

For details about actions and resource types defined by AWS BugBust, including the format of the ARNs for each of the resource types, see Actions, Resources, and Condition Keys for AWS BugBust in the Service Authorization Reference.

Policy best practices

Identity-based policies are very powerful. They determine whether someone can create, access, or delete AWS BugBust resources in your account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get started using AWS managed policies – To start using AWS BugBust quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get started using permissions with AWS managed policies in the IAM User Guide.

  • Grant least privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant least privilege in the IAM User Guide.

  • Enable MFA for sensitive operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using multi-factor authentication (MFA) in AWS in the IAM User Guide.

  • Use policy conditions for extra security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON policy elements: Condition in the IAM User Guide.

Permissions required to use the AWS BugBust console

To access the AWS BugBust console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS BugBust resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (IAM users or roles) with that policy.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that you're trying to perform.

There are two managed policies provided by AWS that can be used to grant access to the AWS BugBust console. The AWSBugBustFullAccess policy is needed for event administrators. It allows administrators to both create and participate in AWS BugBust events. The AWSBugBustPlayerAccess is required so that AWS BugBust players can participate in events.

For more information, see Adding permissions to a user in the IAM User Guide.

To have full access to the AWS BugBust console, use the AWSBugBustFullAccess predefined managed policy.

AWS managed (predefined) policies for AWS BugBust

AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS-managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see AWS Managed Policies in the IAM User Guide.

You can also create your own custom IAM policies to grant access to AWS BugBust actions and resources. You can attach these custom policies to the IAM users or groups.

The following AWS-managed policies are specific to AWS BugBust.

Note

Event administrators and players also require a AWS BugBust player portal account. To learn more about creating AWS BugBust player portal, seeing Accessing the AWS BugBust player portal for AWS BugBust events.

AWSBugBustFullAccess managed policy for AWS BugBust event administrators

To create an AWS BugBust event, use the AWSBugBustFullAccess policy. It provides full access to the AWS BugBust console, and also contains the necessary permissions to ingest code reviews and profiling groups from CodeGuru Reviewer and Profiler.

The AWSBugBustFullAccess policy contains the following statement.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeGuruReviewerPermission", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListRecommendations", "codeguru-reviewer:ListCodeReviews" ], "Resource": "*" }, { "Sid": "CodeGuruProfilerPermission", "Effect": "Allow", "Action": [ "codeguru-profiler:ListProfilingGroups", "codeguru-profiler:DescribeProfilingGroup" ], "Resource": "*" }, { "Sid": "AWSBugBustFullAccess", "Effect": "Allow", "Action": [ "bugbust:*" ], "Resource": "*" }, { "Sid": "AWSBugBustSLRCreation", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/bugbust.amazonaws.com/AWSServiceRoleForBugBust", "Condition": { "StringLike": { "iam:AWSServiceName": "bugbust.amazonaws.com" } } } ] }

AWSBugBustPlayerAccess managed policy for players

When you create AWS BugBust events, you invite players via email and use the AWSBugBustPlayerAccess policy to grant players access to your AWS BugBust event. This policy includes the minimum set of permissions required by an IAM user or role for players to have access to AWS BugBust. For more information about inviting players via email, see Invite AWS BugBust event players (admin).

The player policy requires all events to have permissions for the ListBugs, ListProfilingGroups, and ListEvents actions so all bugs, profiling groups, and events can be displayed. You can restrict access to specific event resources for the JoinEvent, GetJoinEventStatus, GetLeaderboardScore, GetLeaderboardParticipants, and UpdateWorkItem actions. For more information, see Restrict a player to access specific AWS BugBust events.

The AWSBugBustPlayerAccess policy contains the following statement.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CodeGuruReviewerPermission", "Effect": "Allow", "Action": [ "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListRecommendations" ], "Resource": "*" }, { "Sid": "CodeGuruProfilerPermission", "Effect": "Allow", "Action": [ "codeguru-profiler:DescribeProfilingGroup" ], "Resource": "*" }, { "Sid": "AWSBugBustPlayerAccess", "Effect": "Allow", "Action": [ "bugbust:ListBugs", "bugbust:ListProfilingGroups", "bugbust:JoinEvent", "bugbust:GetEvent", "bugbust:ListEvents", "bugbust:GetJoinEventStatus", "bugbust:ListEventScores", "bugbust:ListEventParticipants", "bugbust:UpdateWorkItem", "bugbust:ListPullRequests" ], "Resource": "*" } ] }

Customer managed policy examples

You can create your own custom IAM policies to allow permissions for AWS BugBust actions and resources. You can attach these custom policies to the IAM users, roles, or groups that require those permissions. You can also create your own custom IAM policies to integrate between AWS BugBust and other AWS services.

The following example IAM policies grant permissions for various AWS BugBust actions. Use them to limit AWS BugBust access for your IAM users and roles. These policies control the resources that AWS BugBust event players are allowed to access.

Note

All examples use the US East (N. Virginia) Region (us-east-1) Region and contain fictitious account IDs.

Examples

Example 1: Restrict a player to access specific CodeGuru Reviewer code reviews

The following example policy grants permissions for the AWS player with the account ID 123456789012 to access only bugs found in three associated repositories that are specified by their ARNs. This policy grants access to all AWS BugBust events in their AWS account and Region and all CodeGuru Profiler profiling groups that were imported into those events.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListRecommendations", ], "Effect": "Allow", "Resource": [ "arn:aws:codeguru-reviewer:us-east-1:123456789012:association:my-repository-association-id-1", "arn:aws:codeguru-reviewer:us-east-1:123456789012:association:my-repository-association-id-2", "arn:aws:codeguru-reviewer:us-east-1:123456789012:association:my-repository-association-id-3" ] }, { "Action": [ "codeguru-profiler:DescribeProfilingGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "bugbust: ListBugs", "bugbust: ListProfilingGroups", "bugbust: JoinEvent", "bugbust: GetEvent", "bugbust: ListEvents", "bugbust: GetJoinEventStatus", "bugbust: ListEventScores", "bugbust: ListEventParticipants", "bugbust: UpdateWorkItem", "bugbust: ListPullRequests ], "Effect": "Allow", "Resource": "*" } ] }

Example 2: Restrict a player to access specific CodeGuru Profiler profiling groups

The following example policy grants permissions for the AWS player with the account ID 123456789012 to access only the three profiling groups that are specified using their ARNs. This policy grants access to all AWS BugBust events in a player's AWS account and Region and all CodeGuru Reviewer code reviews that were imported into those events.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListRecommendations" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "codeguru-profiler:DescribeProfilingGroup" ], "Effect": "Allow", "Resource": [ "arn:aws:codeguru-profiler:us-east-1:123456789012:profilingGroup/my-profiling-group-name-1", "arn:aws:codeguru-profiler:us-east-1:123456789012:profilingGroup/my-profiling-group-name-2", "arn:aws:codeguru-profiler:us-east-1:123456789012:profilingGroup/my-profiling-group-name-3" ] }, { "Action": [ "bugbust: ListBugs", "bugbust: ListProfilingGroups", "bugbust: JoinEvent", "bugbust: GetEvent", "bugbust: ListEvents", "bugbust: GetJoinEventStatus", "bugbust: ListEventScores", "bugbust: ListEventParticipants", "bugbust: UpdateWorkItem", "bugbust: ListPullRequests" ], "Effect": "Allow", "Resource": "*" } ] }

Example 3: Restrict a player to access specific AWS BugBust events

The following example policy grants permissions for the AWS player with the account ID 123456789012 to access only one AWS BugBust event that is specified using its ARN. This policy grants access to all CodeGuru Reviewer code reviews and CodeGuru Profiler profiling groups that are imported into the event. All event resources require access to the ListBugs, ListProfilingGroups, ListEvents actions so all bugs, profiling groups, and events can be displayed. You can restrict access to specific event resources for the JoinEvent, GetJoinEventStatus, GetLeaderboardScore, GetLeaderboardParticipants, and UpdateWorkItem actions.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "codeguru-reviewer:DescribeCodeReview", "codeguru-reviewer:ListRecommendations" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "codeguru-profiler:DescribeProfilingGroup" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "bugbust: ListBugs", "bugbust: ListProfilingGroups", "bugbust: ListEvents", "bugbust: ListEventScores", "bugbust: ListEventParticipants", "bugbust: ListPullRequests" "bugbust: JoinEvent", "bugbust: GetEvent", "bugbust: GetJoinEventStatus", "bugbust: UpdateWorkItem" ], "Effect": "Allow", "Resource": "arn:aws:bugbust:us-east-1:123456789012/event:a1b2c3d4-5678-90ab-cdef-EXAMPLE44444" } ] }

AWS BugBust updates to AWS managed policies and service-linked role

View details about updates to AWS managed policies and service-linked role for AWS BugBust since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS BugBust Document history for the AWS BugBust User Guide.

Change Description Date

AWSBugBustFullAccess – Update to an existing policy

AWS BugBust added a new permission to allow access to the iam:CreateServiceLinkedRole action so you can create as service role for AWS BugBust. For more information about service roles, see Creating a role to delegate permissions to an AWS service in the AWS Identity and Access Management User Guide.

July 22, 2021

AWSBugBustFullAccess – New policy

AWS BugBust added a new policy that grants permissions that are needed for an AWS BugBust administrator to create and manage an event.

June 24, 2021

AWSBugBustPlayerAccess – New policy

AWS BugBust added a new policy that grants permissions that are needed for an AWS BugBust event player to participate in an event.

June 24, 2021

AWSBugBustServiceRolePolicy – New policy

AWS BugBust added a new service-linked role named AWSServiceRoleForBugBust that is required for AWS BugBust to access resources on your behalf.

June 24, 2021

AWS BugBust started tracking changes

AWS BugBust started tracking changes for its AWS managed policies.

June 24, 2021