resource_restrictions
Resource-level restrictions by service. A map where keys are service names and values are lists of ARN patterns. Example: { s3 = ["arn:aws:s3:::company-data-*/*"] dynamodb = ["arn:aws:dynamodb:*:*:table/users-*"] }
Resource-Level Access Control
Limit permissions to specific resources rather than granting account-wide access.
resource_restrictions = {
s3 = ["arn:aws:s3:::company-data-*/*"]
}
Common Patterns
S3 Bucket Restrictions
resource_restrictions = {
s3 = [
"arn:aws:s3:::app-data-prod/*",
"arn:aws:s3:::app-logs-prod/*"
]
}
DynamoDB Table Restrictions
resource_restrictions = {
dynamodb = [
"arn:aws:dynamodb:*:*:table/users-*",
"arn:aws:dynamodb:*:*:table/orders-*"
]
}
Lambda Function Restrictions
resource_restrictions = {
lambda = [
"arn:aws:lambda:*:*:function:api-*",
"arn:aws:lambda:*:*:function:processor-*"
]
}
Multi-Service Restrictions
resource_restrictions = {
s3 = ["arn:aws:s3:::team-bucket/*"]
dynamodb = ["arn:aws:dynamodb:*:*:table/team-*"]
sqs = ["arn:aws:sqs:*:*:team-*"]
}
Best Practices
- Use naming conventions that enable resource-based restrictions
- Prefer specific ARNs over wildcards when possible
- Include region and account restrictions where appropriate
- Test resource restrictions thoroughly before deployment
Full Module Example
module "access_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "0.1.0"
# resource_restrictions
resource_restrictions = "..."
# Other required inputs
policy_name = "..."
}