What is the best built in AWS policy for a Terraform user?
I am looking for the best built in AWS policy for my Terraform IAM user.
I am using Terraform to create resources in AWS. Terraform runs via an IAM user.
I need this IAM user to have least privilege in that it can create resources in AWS but does not have Administrator access.
Is there a built in policy in AWS that would allow creation / destruction of AWS resources without also granting administrator access.
I have reviewed the roles but didn't find anything obvious to suit.
The correct policy will be the policy that allows Terraform to perform the actions on the resources you need.
The built in AWS policies are often broad stroke policies, which have to be customized anyways because they often grant more permissions than you would want in a least privilege environment (such as permissions to delete resources); the “best” policy, and best practice, will be the one you craft yourself and explicitly define permissions for.
If you really need to use the AWS defined policies, you can use a built in policy that has the permissions you need (including the Administrator policy) and attach
DENYstatements for any actions you do not want TF to be able to perform. To be clear this is not best practice, and considering that IAM is deny by default, this approach is almost certainly more effort than crafting a policy that you explicitly allow permissions for.