From 64905a0627a5e2e2ac8d0727b684621daa00fcde Mon Sep 17 00:00:00 2001 From: Harsh Mishra Date: Mon, 9 Sep 2024 17:10:44 +0530 Subject: [PATCH] Revamp IAM docs (#1414) --- content/en/references/configuration.md | 4 +-- content/en/user-guide/aws/iam/index.md | 31 +++++++------------ .../security-testing/iam-enforcement/index.md | 4 +++ 3 files changed, 17 insertions(+), 22 deletions(-) diff --git a/content/en/references/configuration.md b/content/en/references/configuration.md index f49875afad..66a560c4fd 100644 --- a/content/en/references/configuration.md +++ b/content/en/references/configuration.md @@ -191,8 +191,8 @@ See [here](#opensearch). | Variable | Example Values | Description | | - | - | - | -| `ENFORCE_IAM` | `0` (default)\|`1` | Enable IAM policy evaluation and enforcement. If this is disabled (the default), IAM policies will have no effect to your requests. | -| `IAM_SOFT_MODE` | `0` (default)\|`1` | Enable IAM soft mode. This leads to policy evaluation without actually denying access. Needs `ENFORCE_IAM` enabled as well. For more information, see [Identity and Access Management]({{< ref "user-guide/aws/iam" >}}).| +| `ENFORCE_IAM` (pro) | `0` (default)\|`1` | Enable IAM policy evaluation and enforcement. If this is disabled (the default), IAM policies will have no effect to your requests. | +| `IAM_SOFT_MODE` (pro) | `0` (default)\|`1` | Enable IAM soft mode. This leads to policy evaluation without actually denying access. Needs `ENFORCE_IAM` enabled as well. For more information, see [Identity and Access Management]({{< ref "user-guide/aws/iam" >}}).| ### Kinesis diff --git a/content/en/user-guide/aws/iam/index.md b/content/en/user-guide/aws/iam/index.md index b1f48086d9..d543062cbf 100644 --- a/content/en/user-guide/aws/iam/index.md +++ b/content/en/user-guide/aws/iam/index.md @@ -14,6 +14,7 @@ By centralizing access control, administrators can enforce the principle of leas LocalStack allows you to use the IAM APIs in your local environment to create and manage users, groups, and roles, granting permissions that adhere to the principle of least privilege. The supported APIs are available on our [API coverage page](https://docs.localstack.cloud/references/coverage/coverage_iam/), which provides information on the extent of IAM's integration with LocalStack. +The policy coverage is documented in the [IAM coverage documentation]({{ ref "iam-coverage"}}. ## Getting started @@ -97,26 +98,16 @@ The Resource Browser allows you to perform the following actions: - **Edit User, Group, Role, and Policy Details**: Click on any listed resources to edit its details by clicking on the desired User, Group, Role, or Policy. - **Delete User, Group, Role, and Policy**: Select any listed resources to delete them by clicking the **Actions** button and selecting **Remove Selected**. -## Supported APIs - -IAM security enforcement is comprehensively available for all AWS APIs in LocalStack and has undergone thorough testing across multiple services. -The services that have been rigorously tested include: - -- ACM -- API Gateway -- CloudFormation -- CloudWatch (metrics/events/logs) -- DynamoDB -- DynamoDB Streams -- Elasticsearch Service -- EventBus, Kinesis -- KMS -- Lambda -- Redshift -- S3 -- SecretsManager -- SNS -- SQS +## Special Tools + +LocalStack provides various tools to help you generate, test, and enforce IAM policies more efficiently. + +- **IAM Policy Stream**: IAM Policy Stream provides a real-time view of API calls and the corresponding IAM policies they generate, simplifying permission management and ensuring correct permissions are assigned. + Learn more in the [IAM Policy Stream documentation]({{< ref "user-guide/security-testing/iam-policy-stream" >}}). +- **IAM Policy Enforcement**: This configuration enforces IAM policies when interacting with local cloud APIs, simulating a real AWS environment. + For additional information, refer to the [IAM Policy Enforcement documentation]({{< ref "iam-enforcement" >}}). +- **Explainable IAM**: Explainable IAM logs outputs related to failed policy evaluations directly to LocalStack logs, aiding in the identification of necessary policies for successful requests. + More details are available in the [Explainable IAM documentation]({{< ref "explainable-iam" >}}). ## Examples diff --git a/content/en/user-guide/security-testing/iam-enforcement/index.md b/content/en/user-guide/security-testing/iam-enforcement/index.md index f655b54c6b..d3b53b225d 100644 --- a/content/en/user-guide/security-testing/iam-enforcement/index.md +++ b/content/en/user-guide/security-testing/iam-enforcement/index.md @@ -113,3 +113,7 @@ You can view the LocalStack logs to validate the policy enforcement: You can further use the IAM Policy Enforcement feature to test your Infrastructure as Code (IaC) deployments and ensure that your policies are correctly enforced. If the IAM policies are not correctly enforced, you will get an unsuccessful response from the API call, and the LocalStack logs will provide you with the necessary information to debug the issue. + +## Feature coverage + +The feature coverage is documented in the [IAM coverage documentation]({{ ref "iam-coverage"}}.