Hi all,
Had a question regarding the current IAM policies being provided by Commvault for AWS policies that are all documented here.
My question is in relation to this policy.
More pointed, I’m interested to understand if anyone has taken the time to configure these policies in a “least privilege access” approach utilizing something like condition based tags. I understand that Commvault provides this policy. But as you can see, the bottom half of that policy is still far more wide open than what would meet a “least privilege access” approach.
For instance I’d like to understand what SSM is being used for and how we could approach restricting these specific permissions to only the resources we need to give it access to:
"ssm:CancelCommand"
"ssm:SendCommand"
"ssm:ListCommands"
"ssm:ListDocuments"
"ssm:DescribeDocument"
"ssm:DescribeInstanceInformation"
Open to thoughts, suggestions!
Thanks,