access-policy
Terraform module for access-policy on aws
module "access_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "0.1.0"
# Required inputs
policy_name = "..."
}Overview
The access-policy module creates AWS access policies with production-ready defaults including:
- Support for IAM policies, Service Control Policies (SCPs), and permission boundaries
- Service allow-listing for least-privilege access
- Action deny-listing for explicit security guardrails
- Resource-level restrictions for fine-grained control
Category: Governance Provider: AWS Latest Version: 2.1.0
Quick Start
module "developer_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "developer-access"
policy_type = "iam"
allowed_services = ["ec2", "s3", "lambda", "dynamodb", "cloudwatch"]
denied_actions = [
"iam:CreateUser",
"iam:DeleteUser",
"organizations:*"
]
resource_restrictions = {
s3 = ["arn:aws:s3:::company-*/*"]
}
}
Key Features
Multiple Policy Types
The module supports three types of access policies to cover different governance needs:
# Standard IAM Policy
module "iam_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "service-access"
policy_type = "iam"
allowed_services = ["s3", "dynamodb"]
}
# Permission Boundary
module "boundary_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "developer-boundary"
policy_type = "boundary"
allowed_services = ["ec2", "s3", "lambda"]
denied_actions = ["iam:*", "organizations:*"]
}
# Service Control Policy
module "scp_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "region-restriction"
policy_type = "scp"
denied_actions = ["ec2:RunInstances"]
}
Service Allow-listing
Define which AWS services are permitted:
module "compute_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "compute-services"
policy_type = "iam"
allowed_services = [
"ec2",
"lambda",
"ecs",
"ecr",
"autoscaling"
]
}
Action Deny-listing
Explicitly block dangerous or sensitive actions:
module "secure_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "secure-developer"
policy_type = "iam"
allowed_services = ["s3", "dynamodb", "lambda"]
denied_actions = [
"s3:DeleteBucket",
"dynamodb:DeleteTable",
"lambda:DeleteFunction",
"cloudtrail:StopLogging"
]
}
Documentation
Registry
Inputs
Name of the access policy. Must be unique within your AWS account. Can contain alphanumeric characters, plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). Maximum 128 characters.
Type of policy to create. Valid values: iam (standard IAM policy), scp (Service Control Policy for Organizations), boundary (Permission Boundary).
List of allowed AWS services (e.g., ec2, s3, lambda, dynamodb). Define which AWS services the policy permits access to for least-privilege design.
Explicitly denied actions that should never be performed, regardless of other permissions (e.g., iam:CreateUser, organizations:*).
Resource-level restrictions by service. A map where keys are service names and values are lists of ARN patterns. Example: { s3 = ["arn:aws:s3:::company-data-*/*"] dynamodb = ["arn:aws:dynamodb:*:*:table/users-*"] }
Outputs
ARN of the created policy. Use this for attaching the policy to IAM entities or referencing in other resources.
JSON-formatted policy document generated by the module. Useful for debugging, auditing, or using in contexts that require raw policy JSON.
Unique identifier for the policy. This is the policy's internal AWS ID, distinct from the ARN.