Example: Excluding Actions
In basic CRUD mode, Policy Sentry provides a "granular select all" approach, so to speak, by identifying all Access Levels for actions under a Resource ARN.
However, there are sometimes cases where you don't want to select all of those actions - you just want some of them.
The exclude-actions
section allows you to do this.
You can specify actions that you don't want to include in the resulting policy, no matter what. See the example below.
Input:
mode: crud
write:
- arn:aws:kms:us-east-1:123456789012:key/aaaa-bbbb-cccc
exclude-actions:
- "kms:Delete*"
- "kms:Disable*"
- "kms:Schedule*"
Output
As you can see in the exclude-actions
section above, we are telling Policy Sentry to not include kms:Delete*
, kms:Disable*
, and kms:Schedule*
. Notice that each line includes a wildcard (*
) so you can tell Policy Sentry to exclude actions matching that pattern. The resulting policy should not include any of these actions that would normally be generated if the exclude-actions
section were not used:
kms:DeleteAlias
kms:DeleteImportedKeyMaterial
kms:DisableKey
kms:DisableKeyRotation
kms:ScheduleKeyDeletion
Notice how none of those actions are included in the resulting JSON policy output below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KmsWriteKey",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:Decrypt",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ImportKeyMaterial",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign",
"kms:UpdateAlias",
"kms:UpdateKeyDescription",
"kms:Verify"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/aaaa-bbbb-cccc"
]
}
]
}