Workflows for policy administration can be automated by using AWS service reference data.
Workflows for policy administration can be automated with the aid of JSON-formatted service reference data from Amazon Web Services (AWS). You can access accessible actions across AWS services using machine-readable files by using the service reference information. Keeping up with the constantly expanding number of services and actions in AWS is a critical customer demand that the reference information service helps to meet.
You can now easily find and include accessible actions, resources, and condition keys for every AWS service in your policy authoring and validation workflows as new services are introduced and current services grow in functionality. You may choose to automate your policy management operations as your company grows and your AWS footprint increases. You can create custom tools to facilitate the evaluation and usage of new actions, resources, and condition keys introduced by AWS services by using the service authorization reference.
How to begin using service reference data
Static details regarding the actions, resources, and condition keys that are accessible for any AWS service are contained in the reference information service.
A JSON file with the most recent AWS service catalogue and available reference data is provided via this URL endpoint. The most recent list of services that the AWS Reference Information service feature supports can be obtained by requesting this API.
Enter the name of the desired AWS service in place of (for instance, “s3” for Amazon Simple Storage service (Amazon S3) or “ec2” for Amazon Elastic Compute Cloud (Amazon EC2). The whole set of actions, resources, and condition keys accessible for that specific service is provided in a JSON file by this URL endpoint.
The output from the service-list.json file, which includes the service names and URLs for each service’s reference information, is formatted as follows:
[
{
"service": "s3",
"url": "https://servicereference.us-east-1.amazonaws.com/v1/s3/s3.json"
},
{
"service": "dynamodb",
"url": "https://servicereference.us-east-1.amazonaws.com/v1/dynamodb/dynamodb.json"
},
…
]The list of permissions for the service can be viewed by using the url field to link to the service information page. The JSON file is also available for download for use in your policy creation processes.
The permissions for Amazon S3 are partially displayed in the example below. Each of the JSON-formatted AWS Identity and Access Management (IAM) activities is a separate JSON object. The IAM action’s name is provided in the Name field for those objects, the action’s available condition keys are provided in the ActionConditionKeys field, and the action’s resources are provided in the Resources field.
{
"Name" : "s3",
"Actions" : [ {
"Name" : "AbortMultipartUpload",
"ActionConditionKeys" : [ "s3:AccessGrantsInstanceArn", "s3:AccessPointNetworkOrigin", "s3:DataAccessPointAccount", "s3:DataAccessPointArn", "s3:ResourceAccount", "s3:TlsVersion", "s3:authType", "s3:signatureAge", "s3:signatureversion", "s3:x-amz-content-sha256" ],
"Resources" : [ {
"Name" : "object"
} ]
}, {
"Name" : "AssociateAccessGrantsIdentityCenter",
"ActionConditionKeys" : [ "aws:ResourceTag/${TagKey}", "s3:ResourceAccount", "s3:TlsVersion", "s3:authType", "s3:signatureAge", "s3:signatureversion", "s3:x-amz-content-sha256" ],
"Resources" : [ {
"Name" : "accessgrantsinstance"
} ],
"Version": "v1.1"
}What can you build with the reference information service?
Let’s look at some real-world scenarios to show you how to use the reference information service. Here are two custom tools that make use of the service reference data to get you started. These tools are available for you to use and modify to suit your needs in our GitHub repository.
- Pre-processor for service control policy (SCP)
- A notification mechanism for IAM actions that have been added or withdrawn
SCP preprocessor
Writing SCPs is made convenient by the SCP pre-processor. The SCP pre-processor can be used as a command-line utility. After performing a number of optimisations and transformations on a single, monolithic JSON file, the utility produces a list of legitimate service control rules that adhere to policy size limits. The program optimises lists of IAM operations using data from AWS reference information service.
Notification tool for new or removed IAM actions
When new IAM actions or services are made available, you may need to change different policies across your AWS environment. This tool can be used to alert you when new actions or services are introduced or withdrawn. Downloading the service reference data and comparing it to the file version from the last time the tool ran is how it operates. These notifications can be used to carry out tasks like manually checking the notifications for new, sensitive actions or automatically updating IAM policies when new actions are added.
Conclusion
You may construct automation for policy authoring and validation more easily with the help of the AWS reference information service. This feature lets you construct custom tools for generating and managing policies by giving you the AWS service actions reference in JSON format.
