Below is the policy template created to restrict any Principal
to do only below actions:
Resources:
MyPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: RulesToCreateUpdatePolicy
ManagedPolicyName: some-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicy"
- "iam:DeletePolicy"
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*"
on a policy resource that starts with name xyz-lambda-
.
This policy is assigned to EC2 host, with a role.
Does this policy name(like xyz-lambda-*
) supposed to be already exist in AWS, before uploading this policy in AWS?
No, when you are specifying resource in your policy document, that resource doesn't need to exists at all.
If you take into consideration this action
iam:CreatePolicy
together with your resource, what it does is that it grants necessary permissions to create policy with that particular name xyz-lambda-*
. It wouldn't make much of sense to require existence of such resource if the policy is granting permissions to create it in the first place.
When you consider the delete action
iam:DeletePolicy
if the resource doesn't exist then it does nothing. Once you create policy with the appropriate name, you will be able to delete it but it doesn't matter whether the policy existed before this ManagedPolicy was created or after or you have deleted and recreated policy with such name any number of times.
Lastly, since you have stated that this policy is attached to EC2 role then it should work without errors. But I would still recommend to grant iam:ListPolicies
permission for any resource (policy) discovery that could be performed by an application running on EC2 instance. If you don't allow this action in your policy, your application will not be able to list policies and you would have to design some error prone workaround based on guessing or a strict naming scheme.
Policy name is not important. Resources unique by ARN only. IAM Resources unique within AWS account an if u don't create this resource before it's ok