allowed_services
List of allowed AWS services (e.g., ec2, s3, lambda, dynamodb). Define which AWS services the policy permits access to for least-privilege design.
Service Allow-listing
Define which AWS services the policy permits access to. This is a fundamental aspect of least-privilege design.
allowed_services = ["ec2", "s3", "lambda", "dynamodb"]
Common Service Groups
Compute Services
allowed_services = ["ec2", "lambda", "ecs", "ecs-tasks", "ecr"]
Storage Services
allowed_services = ["s3", "dynamodb", "rds", "elasticache"]
Developer Services
allowed_services = ["codecommit", "codebuild", "codepipeline", "cloudformation"]
Observability Services
allowed_services = ["cloudwatch", "logs", "xray", "cloudtrail"]
Best Practices
- Start with the minimum required services
- Group related services for common use cases
- Review and audit service access periodically
- Use deny lists (
denied_actions) for fine-grained control within allowed services
Full Module Example
module "access_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "0.1.0"
# allowed_services
allowed_services = "..."
# Other required inputs
policy_name = "..."
}