Skip to content
Alchemy
GitHubXDiscord

Policy

The Policy resource lets you manage AWS VerifiedPermissions Policys and their configuration settings.

Minimal Example

Section titled “Minimal Example”

Create a basic policy with required properties to define access control.

import AWS from "alchemy/aws/control";


const basicPolicy = await AWS.VerifiedPermissions.Policy("basicPolicy", {
  Definition: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "s3:GetObject",
        Resource: "arn:aws:s3:::my-bucket/*",
        Condition: {
          StringEquals: {
            "s3:prefix": "protected/"
          }
        }
      }
    ]
  },
  PolicyStoreId: "myPolicyStoreId"
});

Advanced Configuration

Section titled “Advanced Configuration”

Define a policy with more complex rules, including multiple statements and conditions.

const advancedPolicy = await AWS.VerifiedPermissions.Policy("advancedPolicy", {
  Definition: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "s3:GetObject",
          "s3:PutObject"
        ],
        Resource: "arn:aws:s3:::my-bucket/*",
        Condition: {
          StringEquals: {
            "s3:prefix": ["protected/", "private/"]
          }
        }
      },
      {
        Effect: "Deny",
        Action: "s3:DeleteObject",
        Resource: "arn:aws:s3:::my-bucket/private/*",
        Condition: {
          StringEquals: {
            "s3:prefix": "private/"
          }
        }
      }
    ]
  },
  PolicyStoreId: "myPolicyStoreId"
});

Adoption of Existing Policy

Section titled “Adoption of Existing Policy”

Create a policy by adopting an existing resource instead of failing if it already exists.

const adoptedPolicy = await AWS.VerifiedPermissions.Policy("adoptedPolicy", {
  Definition: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "dynamodb:PutItem",
        Resource: "arn:aws:dynamodb:us-west-2:123456789012:table/myTable"
      }
    ]
  },
  PolicyStoreId: "myPolicyStoreId",
  adopt: true
});

Policy with Multiple Conditions

Section titled “Policy with Multiple Conditions”

Demonstrate a policy that combines multiple conditions for fine-grained access control.

const conditionalPolicy = await AWS.VerifiedPermissions.Policy("conditionalPolicy", {
  Definition: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "ec2:StartInstances",
        Resource: "arn:aws:ec2:us-west-2:123456789012:instance/i-0abcd1234efgh5678",
        Condition: {
          StringEquals: {
            "aws:RequestTag/environment": "production"
          },
          NumericLessThanEquals: {
            "aws:ResourceTag/cpu": 4
          }
        }
      }
    ]
  },
  PolicyStoreId: "myPolicyStoreId"
});