AWS IAM policy: Multiple Actions and Multiple Resources

Question

It is question on AWS IAM policy, multiple Actions with Multiple Resources (presumably not related). I have parameter 'myparam' encrypted with 'mykey', and I have policy as below separate blocks, one for param and one for key, it works.

{
    {
        "Action": [
            "ssm:GetParameter",
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC:parameter/myparam"
    },
    {
        "Action": [
            "kms:Decrypt"
        ],
        "Effect": "Allow",
        "Resource": "MY-ARN:MY-ACC::key/mykey"
    }
}

As per documentation, We can combine multiple actions and resources, If I combine the same as below, Does this work?

{
    {
        "Action": [
            "ssm:GetParameter",
            "kms:Decrypt"
        ],

        "Resource": [ 
            "MY-ARN:MY-ACC:parameter/myparam"
            "MY-ARN:MY-ACC::key/mykey"
        ],
        "Effect": "Allow"
    }

}

How the Actions to Resource mapping happens in this case? I couldn't find any documentation on this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html If I have associated resources or associed Actiosn then it makes sense, What is your comments on this?

Answer 1

If I combine the same as below, Does this work?

Yes it does.

To verify that I recreated your scenario with mykey and myparam and an inline policy added to an execution role of a test lambda.

As a matter of fact, when you are using IAM console to create such permissions, the inline json policy created will have the second form, not the first one:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                "arn:aws:ssm:*:xxx:parameter/myparam"
            ]
        }
    ]
}

What's more the order of items in Actons to Resources is irrelevant. Thus you can also have (different action order):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:*:xxx:key/e15f691e-5dde-473c-8f24-3af45994aeaf",
                "arn:aws:ssm:*:xxx:parameter/myparam"
            ]
        }
    ]
} 

This means that IAM will test the actions to resources only if a given resource supports them.

The first form if often preferred, as its easier to read and manage. If you put everything into one statement, its difficult to name such a statement, edit it and debug.