AWS provided a managed policy called arn:aws:iam::aws:policy/IAMReadOnlyAccess which give readonly access to user for all aws resources. This is very useful in most cases, having said that sometimes extra denied rules are required for user who do not need to access/download data. Depending on the situation, we might want to loosen some of the denied rule, for example we might allow all user to Log:GetLogEvents to view logs in cloudwatch if we do not need to segregate logs access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyData",
"Effect": "Deny",
"Action": [
"cloudformation:GetTemplate",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"kinesis:Get*",
"lambda:GetFunction",
"logs:GetLogEvents",
"s3:GetObject",
"sdb:Select*",
"sqs:ReceiveMessage"
],
"Resource": "*"
}
]
}
Reference:
https://alestic.com/2015/10/aws-iam-readonly-too-permissive/