Policies
What Is a Policy?
A policy defines what actions are allowed or denied on which resources in Krutrim Cloud.
Policies are written as JSON documents containing permission rules (called statements). A policy does not grant access by itself—it only takes effect when attached to a role.
Key Characteristics
Policies cannot be attached directly to users or groups
Policies have no effect without roles
All permission evaluation happens at the role level
Users get access only through roles/groups
Policy Rule Model
Every policy follows a structured rule model.
Core Policy Fields
Policy Name
Unique identifier for the policy
Yes
Description
Purpose of the policy
Yes
Access Rules
Each policy consists of one or more rules with the following fields: Policy Type: Service or capability namespace Operations: Usually CRUD Effect: Allow / Deny Resource Name:Resources affected
Yes
Access Rule Fields
Field
Description
Example
Policy Type
Target cloud service
All, Security Group, VPC, Virtual machine, Krutrim Certificate Manager, Krutrim Block Storage, Krutrim Object Storage, DNS, Krutrim Kubernetes System, Auto Scaling Groups, Load Balancer, Krutrim Ai Pods, Finetuning, Evaluation, IAM, Model Registry, DBaaS, MaaS, Inference, Billing, SSH Keys.
Resource Name
Resources affected
set to * by default)
Operations
Allowed or denied actions
Create, Read, Update and Delete
Effect
Permission outcome
Allow or Deny
Allow vs. Deny Logic
Allow → Grants permission
Deny → Explicitly blocks permission
Evaluation Order:
Deny statements are evaluated first
If any deny matches → access is blocked
If no deny matches → allow statements are evaluated
If no allow matches → access is denied by default
Important: Deny always overrides allow.
Policy Creation Flow
Define policy (name, description)
Specify Access Rule (service, resource, operation, effect)
Save the policy
Attach policy to role(s)
Assign role to users or groups
Note: A policy has no effect until attached to a role.
Managing Policies
Editing a Policy
You can edit a policy to:
Update name or description
Add, Remove or Modify statements
remove conditions
Steps:
IAM → Policies
Select policy → Edit
Make changes → Save
Editing a policy immediately affects:
All roles using the policy
All users assigned to those roles (directly or via groups)
Changes may:
Grant new access
Revoke existing access
Change / Break user workflows
Best Practices:
Communicate changes in advance
Review attached roles before editing
Avoid frequent edits to widely-used policies
Prefer creating new policies instead
Deleting a Policy
Policies cannot be deleted while attached to roles.
Steps:
Detach policy from all roles
Return to policy
Click Delete
Warning: Deletion is permanent.
Policy Types by Service
Policies are organized by service and by access level.
Default (System-Managed) Policies
Krutrim Cloud provides predefined policies for common use cases.
FullAccess
Full control over the service
ReadAccess
Read Only access
ReadWriteAccess
Read and modify (no delete)
Characteristics:
Created and maintained by the system
Cannot be edited or deleted
Evaluated like regular policies
List of Default Policies
asg
KASGFullAccess
Krutrim ASG Full Access Policy
Auto-Scaling Groups
asg
KASGReadOnlyAccess
Krutrim ASG Read Only Access Policy
Auto-Scaling Groups
asg
KASGReadWriteAccess
Krutrim ASG Read Write Access Policy
Auto-Scaling Groups
billing
KBillingFullAccess
Krutrim Billing Full Access Policy
Billing
dbaas
KDBaaSFullAccess
Krutrim DBaaS Full Access Policy
DBaaS
dbaas
KDBaaSReadOnlyAccess
Krutrim DBaaS Read Only Access Policy
DBaaS
dbaas
KDBaaSReadWriteAccess
Krutrim DBaaS Read Write Access Policy
DBaaS
dns
KDNSFullAccess
Krutrim DNS Full Access Policy
DNS,
Zones,
Records
dns
KDNSReadOnlyAccess
Krutrim DNS Read Only Access Policy
DNS,
Zones,
Records
dns
KDNSReadWriteAccess
Krutrim DNS Read Write Access Policy
DNS,
Zones,
Records
evaluation
KEvaluationFullAccess
Krutrim Evaluation Full Access Policy
Evaluation
evaluation
KEvaluationReadOnlyAccess
Krutrim Evaluation Read Only Access Policy
Evaluation
evaluation
KEvaluationReadWriteAccess
Krutrim Evaluation Read Write Access Policy
Evaluation
finetuning
KFineTuningFullAccess
Krutrim Fine Tuning Full Access Policy
Fine-Tuning
finetuning
KFineTuningReadOnlyAccess
Krutrim Fine Tuning Read Only Access Policy
Fine-Tuning
finetuning
KFineTuningReadWriteAccess
Krutrim Fine Tuning Read Write Access Policy
Fine-Tuning
iam
KIAMFullAdminAccessAllResources
Krutrim Centralized IAM Full Access Policy across all IAM resources
Users,
Groups,
Roles,
Policies,
Association Between Users/Groups/Roles/Policies
iam
KIAMReadOnlyAccessAllResources
Krutrim Centralized IAM Read Only Access Policy across all IAM resources
Users,
Groups,
Roles,
Policies,
Association Between Users/Groups/Roles/Policies
iam
KIAMReadWriteOnlyAccessAllResources
Krutrim Centralized IAM Read Write Access Policy across all IAM resources
Users,
Groups,
Roles,
Policies,
Association Between Users/Groups/Roles/Policies
iam
KIAMGroupManagerAccess
Krutrim Centralized IAM Group Management Access Policy
Groups
iam
KIAMGroupReadOnlyAccess
Krutrim Centralized IAM Group Read Only Access Policy
Groups
iam
KIAMGroupReadWriteAccess
Krutrim Centralized IAM Group read Write Access Policy
Groups
iam
KIAMMappingManagerAccess
Krutrim Centralized IAM User/Group/Role/Policies Association Full Access Policy
Association Between Users/Groups/Roles/Policies
iam
KIAMMappingReadOnlyAccess
Krutrim Centralized IAM User/Group/Role/Policies Association Read Only Access Policy
Groups
iam
KIAMMappingReadWriteAccess
Krutrim Centralized IAM User/Group/Role/Policies Association Read Write Access Policy
Groups
iam
KIAMPolicyManagerAccess
Krutrim Centralized IAM Policy Management Access Policy
Policies
iam
KIAMPolicyReadOnlyAccess
Krutrim Centralized IAM Policy Read Only Access Policy
Policies
iam
KIAMPolicyReadWriteAccess
Krutrim Centralized IAM Policy Read Write Access Policy
Policies
iam
KIAMRoleManagerAccess
Krutrim Centralized IAM Role Management Access Policy
Roles
iam
KIAMRoleReadOnlyAccess
Krutrim Centralized IAM Role Read Only Access Policy
Roles
iam
KIAMRolereadWriteAccess
Krutrim Centralized IAM Role Read write Access Policy
Roles
iam
KIAMUserManagerAccess
Krutrim Centralized IAM User Management Full Access Policy
Users
iam
KIAMUserReadOnlyAccess
Krutrim Centralized IAM User Read Only Access Policy
Users
iam
KIAMUserReadWriteAccess
Krutrim Centralized IAM User Read Write Access Policy
Users
inference
KInferenceFullAccess
Krutrim Inference Full Access Policy
Inference
inference
KInferenceReadOnlyAccess
Krutrim Inference Read Only Access Policy
Inference
inference
KInferenceReadWriteAccess
Krutrim Inference Read Write Access Policy
Inference
kbs
KBlockStorageFullAccess
Krutrim Block Storage Full Access Policy
Block Storage
kbs
KBlockStorageReadOnlyAccess
Krutrim Block Storage Read Only Access Policy
Block Storage
kbs
KBlockStorageReadWriteAccess
Krutrim Block Storage Read Write Access Policy
Block Storage
kcm
KCertManagerFullAccess
Krutrim Certificate Manager Full Access Policy
Certificates
kcm
KCertManagerReadOnlyAccess
Krutrim Certificate Manager Read Only Access Policy
Certificates
kcm
KCertManagerReadWriteAccess
Krutrim Certificate Manager Read Write Access Policy
Certificates
kks
KKSFullAccess
Kubernetes Full Access Policy
Kubernetes Cluster
kks
KKSReadAccess
Kubernetes Read Only Access Policy
Kubernetes Cluster
kks
KKSWriteAccess
Kubernetes Read and Write only Access Policy
Kubernetes Cluster
kos
KObjectStorageAccessKeyFullAccess
Krutrim Access Key Full Access Policy
KOS Access Keys,
KOS Buckets,
KOS Objects,
KOS Regions
kos
KObjectStorageFullAccess
Krutrim Object Storage Full Access Policy
KOS Access Keys,
KOS Buckets,
KOS Objects,
KOS Regions
kos
KObjectStorageReadOnlyAccess
Krutrim Object Storage Read Only Access Policy
KOS Access Keys,
KOS Buckets,
KOS Objects,
KOS Regions
kos
KObjectStorageReadWriteAccess
Krutrim Object Storage Read Write Access Policy
KOS Access Keys,
KOS Buckets,
KOS Objects,
KOS Regions
kpod
KKPodFullAccess
Krutrim KPod Full Access Policy
Kpods (AI Pods)
kpod
KKPodReadOnlyAccess
Krutrim KPod Read Only Access Policy
Kpods (AI Pods)
kpod
KKPodReadWriteAccess
Krutrim KPod Read Write Access Policy
Kpods (AI Pods)
loadbalancer
KLoadBalancerFullAccess
Krutrim Load Balancer Full Access Policy
Load Balancers,
Target Groups,
Listeners,
Health Monitors,
Rules,
Members
loadbalancer
KLoadBalancerReadOnlyAccess
Krutrim Load Balancer Read Only Access Policy
Load Balancers,
Target Groups,
Listeners,
Health Monitors,
Rules,
Members
loadbalancer
KLoadBalancerReadWriteAccess
Krutrim Load Balancer Read Write Access Policy
Load Balancers,
Target Groups,
Listeners,
Health Monitors,
Rules,
Members
maas
KMAASApiKeyManagerAccess
Krutrim MAAS API Key Full Access Policy
MaaS API Keys
maas
KMAASApiKeyReadOnlyAccess
Krutrim MAAS API Key Read Only Access Policy
MaaS API Keys
maas
KMAASApiKeyReadWriteAccess
Krutrim MAAS API Key Read Write Access Policy
MaaS API Keys
maas
KMAASFullAccess
Krutrim MAAS Full Access Policy
MaaS
MaaS API Keys
maas
KMAASReadOnlyAccess
Krutrim MAAS Read Only Access Policy
MaaS
MaaS API Keys
maas
KMAASReadWriteAccess
Krutrim MAAS Read Write Access Policy
MaaS
MaaS API Keys
modelRegistry
KModelRegistryFullAccess
Krutrim Model Registry Full Access Policy
Model Registry
modelRegistry
KModelRegistryReadOnlyAccess
Krutrim Model Registry Read Only Access Policy
Model Registry
modelRegistry
KModelRegistryReadWriteAccess
Krutrim Model Registry Read Write Access Policy
Model Registry
securityGroup
KSecurityGroupFullAccess
Security Group Full Access Policy
Security Groups
securityGroup
KSecurityGroupReadAccess
Security Group Read Only Access Policy
Security Groups
securityGroup
KSecurityGroupWriteAccess
Security Group Read and Write only Access Policy
Security Groups
sshkeys
KSSHFullAccess
Krutrim SSH Full Access Policy
SSH Keys
sshkeys
KSSHReadOnlyAccess
Krutrim SSH Read Only Access Policy
SSH Keys
sshkeys
KSSHReadWriteAccess
Krutrim SSH Read Write Access Policy
SSH Keys
vm
KVMFullAccess
Krutrim VM Full Access Policy
Virtual Machines
vm
KVMReadOnlyAccess
Krutrim VM Read Only Access Policy
Virtual Machines
vm
KVMReadWriteAccess
Krutrim VM Read Write Access Policy
Virtual Machines
vpc
KVPCFullAccess
Krutrim VPC Full Access Policy
VPC, Subnets, Security Groups, Static IPs
vpc
KVPCReadOnlyAccess
Krutrim VPC Read Only Access Policy
VPC, Subnets, Security Groups, Static IPs
vpc
KVPCReadWriteAccess
Krutrim VPC Read Write Access Policy
VPC, Subnets, Security Groups, Static IPs
The service names in the list above are the exact ones that can be used when accessing IAM programmatically
Custom Policies
Custom (customer-managed) policies are defined and maintained by users that grant fine-grained, reusable permissions to identities while enforcing the principle of least privilege.
Characteristics:
Created and maintained by the Root or IAM users (if permission given)
Can be edited or deleted
Policy JSON Examples
Example 1: Full Access Default Policy
The policy above allows:
All CRUD operations on all KBS (Krutrim Block Storage) resources
Example 2: Read Only Access Default Policy
The policy above allows:
Allows only read operations on all ASG (Auto Scaling Group) resources
No create, update, or delete permissions
Example 3: Custom Policy (Explicit Deny)
The policy above allows:
Create, read, update and delete operations on all VPC resources
Explicitly denies all access to Block Storage (KBS) resources
Example 4: Custom Policy - Allow Kubernetes (KKS) Cluster Creation
The policy above allows:
Create, read, update and delete operations on all KKS resources
Allows create, read, and update operations on all VPC resources
To allow IAM users to create any resource, the root user needs to ensure that the IAM user is given all permissions to access / view the other services which are required to create the main resource, for example:
To allow an IAM user to create a Kubernetes (KKS) cluster, the necessary KKS permissions must be supplemented with permissions for other services. Specifically, during the KKS cluster creation process, the user needs the ability to view and select supporting resources, such as those related to VPC.
Next Steps
Attach policies to roles
Assign roles to users or groups
Use groups to scale access
Review custom operations for fine-grained control
Last updated
Was this helpful?