How to format for a friendlier view with a tool (local or online) the policyDocument argument's value in the AWS Cloudtrail log. In this example it is an "eventName": "PutRolePolicy".
"eventTime": "2025-03-10T16:20:58Z",
"eventSource": "iam.amazonaws",
"eventName": "PutRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "82.xx.xx.xx",
"userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+) terraform-provider-aws/5.90.0 (+) aws-sdk-go-v2/1.36.3 ua/2.1 os/macos lang/go#1.23.5 md/GOOS#darwin md/GOARCH#arm64 api/iam#1.40.1 m/n",
"requestParameters": {
"roleName": "Developer",
"policyName": "Developer-policy",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2messages:Get*\",\"ec2:StopInstances\",\"ec2:StartInstances\",\"ec2:Get*\",\"ec2:Describe*\"],\"Condition\":{\"StringEquals\":{\"ec2:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"EC2Permissions\"},{\"Action\":[\"ecr:List*\",\"ecr:Get*\",\"ecr:Describe*\",\"ecr:BatchGet*\",\"ecr:BatchCheck*\"],\"Condition\":{\"StringEquals\":{\"ecr:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"ECRPermissionsListGet\"},{\"Action\":[\"ecr:UploadLayerPart\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:CompleteLayerUpload\",\"ecr:BatchDeleteImage\",\"ecr:BatchCheckLayerAvailability\"],\"Condition\":{\"StringEquals\":{\"ecr:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"ECRPermissionsPushImage\"},{\"Action\":[\"s3:List*\",\"s3:Get*\"],\"Condition\":{\"StringEquals\":{\"s3:ExistingObjectTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"S3Permissions\"},{\"Action\":[\"secretsmanager:UpdateSecret\",\"secretsmanager:PutSecretValue\",\"secretsmanager:List*\",\"secretsmanager:GetSecretValue\",\"secretsmanager:GetResourcePolicy\",\"secretsmanager:Describe*\"],\"Condition\":{\"StringEquals\":{\"secretsmanager:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"SecretsManagerResources\"},{\"Action\":\"ssm:PutParameter\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:ssm::<aws-account-id>:parameter/vgsl-sandbox-sandbox-eucentral1-workload-ssm/*\",\"Sid\":\"SSMParameters\"},{\"Action\":\"kms:Decrypt\",\"Condition\":{\"StringEquals\":{\"aws:resourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"arn:aws:kms:*:*:key/*\",\"Sid\":\"ManageKMS\"},{\"Action\":[\"route53resolver:List*\",\"route53resolver:Get*\",\"route53domains:View*\",\"route53domains:List*\",\"route53domains:Get*\",\"route53domains:Check*\",\"route53:Test*\",\"route53:List*\",\"route53:Get*\",\"kafka:List*\",\"kafka:Get*\",\"kafka:Describe*\",\"eks:List*\",\"eks:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"NonSupportingResourceTagResources\"},{\"Action\":[\"iam:PassRole\",\"iam:GetRole\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:iam::<aws-account-id>:role/vgsl-sandbox-*\",\"Sid\":\"IamGetPassRole\"},{\"Action\":[\"cognito-idp:*\",\"cognito-identity:*\"],\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"CognitoAllPermissions\"}]}"
},
How to format for a friendlier view with a tool (local or online) the policyDocument argument's value in the AWS Cloudtrail log. In this example it is an "eventName": "PutRolePolicy".
"eventTime": "2025-03-10T16:20:58Z",
"eventSource": "iam.amazonaws",
"eventName": "PutRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "82.xx.xx.xx",
"userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.6.6 (+https://www.terraform.io) terraform-provider-aws/5.90.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.36.3 ua/2.1 os/macos lang/go#1.23.5 md/GOOS#darwin md/GOARCH#arm64 api/iam#1.40.1 m/n",
"requestParameters": {
"roleName": "Developer",
"policyName": "Developer-policy",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2messages:Get*\",\"ec2:StopInstances\",\"ec2:StartInstances\",\"ec2:Get*\",\"ec2:Describe*\"],\"Condition\":{\"StringEquals\":{\"ec2:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"EC2Permissions\"},{\"Action\":[\"ecr:List*\",\"ecr:Get*\",\"ecr:Describe*\",\"ecr:BatchGet*\",\"ecr:BatchCheck*\"],\"Condition\":{\"StringEquals\":{\"ecr:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"ECRPermissionsListGet\"},{\"Action\":[\"ecr:UploadLayerPart\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:CompleteLayerUpload\",\"ecr:BatchDeleteImage\",\"ecr:BatchCheckLayerAvailability\"],\"Condition\":{\"StringEquals\":{\"ecr:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"ECRPermissionsPushImage\"},{\"Action\":[\"s3:List*\",\"s3:Get*\"],\"Condition\":{\"StringEquals\":{\"s3:ExistingObjectTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"S3Permissions\"},{\"Action\":[\"secretsmanager:UpdateSecret\",\"secretsmanager:PutSecretValue\",\"secretsmanager:List*\",\"secretsmanager:GetSecretValue\",\"secretsmanager:GetResourcePolicy\",\"secretsmanager:Describe*\"],\"Condition\":{\"StringEquals\":{\"secretsmanager:ResourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"SecretsManagerResources\"},{\"Action\":\"ssm:PutParameter\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:ssm::<aws-account-id>:parameter/vgsl-sandbox-sandbox-eucentral1-workload-ssm/*\",\"Sid\":\"SSMParameters\"},{\"Action\":\"kms:Decrypt\",\"Condition\":{\"StringEquals\":{\"aws:resourceTag/Platform\":\"Test_Tenant_ns2\"}},\"Effect\":\"Allow\",\"Resource\":\"arn:aws:kms:*:*:key/*\",\"Sid\":\"ManageKMS\"},{\"Action\":[\"route53resolver:List*\",\"route53resolver:Get*\",\"route53domains:View*\",\"route53domains:List*\",\"route53domains:Get*\",\"route53domains:Check*\",\"route53:Test*\",\"route53:List*\",\"route53:Get*\",\"kafka:List*\",\"kafka:Get*\",\"kafka:Describe*\",\"eks:List*\",\"eks:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"NonSupportingResourceTagResources\"},{\"Action\":[\"iam:PassRole\",\"iam:GetRole\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:iam::<aws-account-id>:role/vgsl-sandbox-*\",\"Sid\":\"IamGetPassRole\"},{\"Action\":[\"cognito-idp:*\",\"cognito-identity:*\"],\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"CognitoAllPermissions\"}]}"
},
1 Answer
Reset to default 0Locally you could use jq to pretty-print the requestParameters object:
$ aws cloudtrail ... | jq '.requestParameters.policyDocument | fromjson'