Reputation: 57
Wildcard '*' in Resource for AWS policies
I have an AWS KMS Key Policy consisting a statement like this :
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
}
I can understand that the given root IAM user for the specified account number can perform all the kms: operations. What does * mean for the Resource ? Should it be the arn of the key ? In general, what does "Resource": "*" mean in any Resource policy ?
Upvotes: 2
Views: 6987
Answers (1)
Reputation: 35238
By having this in any policy (be it a resource policy such as bucket policy or key policy, or if its an IAM policy) it will apply to all resources that can be scoped to the policy (IAM applies to everything, the key policy can only apply to the key that the policy is attached to).
The * gives access to the full scope of these resources, in a key policy case that is simply this key, you could also add specify the Arn for exactly the same effect for the key.
In other resource policies such as S3 bucket policies you can actually do this based on an S3 prefix to limit the scope of what the user can access such as arn:aws:s3:::my-bucket/public/*
Upvotes: 1
Related Questions
- AWS IAM - Can you use multiple wildcards (*) in a value
- WildCard in NotResource
- Why do some AWS KMS keys only show Policy View?
- AWS EKS - Wildcard in kubernetes ingress
- AWS IAM and KMS policy 'muddlement'
- Is there an AWS security group rule specifically allowing access to AWS KMS?
- understanding kms policy?
- AWS KMS and Associated Resources
- IAM policy to grant access only to Amazon aliased keys
- Can wildcard character (*) be used in the fine-grained access policy for dynamodb?