Control: 3.7 Ensure you are using an IAM policy to manage access to buckets in Lightsail
The following policy grants a user access to manage a specific bucket in the Amazon Lightsail object storage service.
This policy grants access to buckets through the Lightsail console, the AWS Command Line Interface (AWS CLI), AWS API, and AWS SDKs.
From the Console:
- Login to AWS Console using
- Click
All services
, clickIAM
under Security, Identity, & Compliance. - Click
. - Click
Create policy
. - Click on the JSON tab.
- Copy and paste the policy below into the JSON editor replacing the text in there and filling in the Lightsail bucket names.
You can find the Lightsail bucket name in the Lightsail console, Storage, Under buckets.
{"Version": "2012-10-17","Statement": [{"Sid": "LightsailAccess","Effect": "Allow","Action": "lightsail:*","Resource": "*"},{"Sid": "S3BucketAccess","Effect": "Allow","Action": "s3:*","Resource": ["arn:aws:s3:::<BucketName>/*","arn:aws:s3:::<BucketName>"]}]}
- Click
Next tags
. - Add tags based on your companies outlined Tagging policy that should be in place based on the AWS Foundations Benchmark.
- Click
Next review
. - Click in
and give it a name that contains "Lightsail". - Review the summary.
- Click
Create policy
. - Click in the
Filter policies by property or policy name and press enter
. - Type
and press enter. - Click on the Policy name that you just created.
- Click on the
Policy usage
tab. - Click
. - Add in the Users or Group that should have this permission.
- Click
Attach policy
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_3_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_3_7 --share
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_idfrom aws_account;