# Policies ### What Is a Policy? A policy defines what actions are allowed or denied on which resources in Krutrim Cloud. Policies are written as JSON documents containing permission rules (called statements). A policy does not grant access by itself—it only takes effect when attached to a role. Key Characteristics * Policies cannot be attached directly to users or groups * Policies have no effect without roles * All permission evaluation happens at the role level * Users get access only through roles/groups ### Policy Rule Model Every policy follows a structured rule model. #### Core Policy Fields | Field | Description | Required | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | Policy Name | Unique identifier for the policy | Yes | | Description | Purpose of the policy | Yes | | Access Rules |

Each policy consists of one or more rules with the following fields:
Policy Type: Service or capability namespace
Operations: Usually CRUD
Effect: Allow / Deny
Resource Name:Resources affected

| Yes | #### Access Rule Fields | Field | Description | Example | | -------------- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Policy Type | Target cloud service | All, Security Group, VPC, Virtual machine, Krutrim Certificate Manager, Krutrim Block Storage, Krutrim Object Storage, DNS, Krutrim Kubernetes System, Auto Scaling Groups, Load Balancer, Krutrim Ai Pods, Finetuning, Evaluation, IAM, Model Registry, DBaaS, MaaS, Inference, Billing, SSH Keys. | | Resource Name | Resources affected | set to \* by default) | | Operations | Allowed or denied actions | Create, Read, Update and Delete | | Effect | Permission outcome | Allow or Deny |
Allow vs. Deny Logic * Allow → Grants permission * Deny → Explicitly blocks permission Evaluation Order: 1. Deny statements are evaluated first 2. If any deny matches → access is blocked 3. If no deny matches → allow statements are evaluated 4. If no allow matches → access is denied by default Important: Deny always overrides allow. *** ### Policy Creation Flow 1. Define policy (name, description) 2. Specify Access Rule (service, resource, operation, effect) 3. Save the policy 4. Attach policy to role(s) 5. Assign role to users or groups Note: A policy has no effect until attached to a role. *** ### Managing Policies #### Editing a Policy You can edit a policy to: * Update name or description * Add, Remove or Modify statements * remove conditions Steps: 1. IAM → Policies 2. Select policy → Edit 3. Make changes → Save Editing a policy immediately affects: * All roles using the policy * All users assigned to those roles (directly or via groups) Changes may: * Grant new access * Revoke existing access * Change / Break user workflows Best Practices: * Communicate changes in advance * Review attached roles before editing * Avoid frequent edits to widely-used policies * Prefer creating new policies instead #### Deleting a Policy Policies cannot be deleted while attached to roles. Steps: 1. Detach policy from all roles 2. Return to policy 3. Click Delete Warning: Deletion is permanent. *** ### Policy Types by Service Policies are organized by service and by access level. #### Default (System-Managed) Policies Krutrim Cloud provides predefined policies for common use cases. | Policy Type | Description | | --------------- | ----------------------------- | | FullAccess | Full control over the service | | ReadAccess | Read Only access | | ReadWriteAccess | Read and modify (no delete) | Characteristics: * Created and maintained by the system * Cannot be edited or deleted * Evaluated like regular policies

List of Default Policies

Service Name	Policy Name	Description	Resources
asg	KASGFullAccess	Krutrim ASG Full Access Policy	Auto-Scaling Groups
asg	KASGReadOnlyAccess	Krutrim ASG Read Only Access Policy	Auto-Scaling Groups
asg	KASGReadWriteAccess	Krutrim ASG Read Write Access Policy	Auto-Scaling Groups
billing	KBillingFullAccess	Krutrim Billing Full Access Policy	Billing
dbaas	KDBaaSFullAccess	Krutrim DBaaS Full Access Policy	DBaaS
dbaas	KDBaaSReadOnlyAccess	Krutrim DBaaS Read Only Access Policy	DBaaS
dbaas	KDBaaSReadWriteAccess	Krutrim DBaaS Read Write Access Policy	DBaaS
dns	KDNSFullAccess	Krutrim DNS Full Access Policy	DNS, Zones, Records
dns	KDNSReadOnlyAccess	Krutrim DNS Read Only Access Policy	DNS, Zones, Records
dns	KDNSReadWriteAccess	Krutrim DNS Read Write Access Policy	DNS, Zones, Records
evaluation	KEvaluationFullAccess	Krutrim Evaluation Full Access Policy	Evaluation
evaluation	KEvaluationReadOnlyAccess	Krutrim Evaluation Read Only Access Policy	Evaluation
evaluation	KEvaluationReadWriteAccess	Krutrim Evaluation Read Write Access Policy	Evaluation
finetuning	KFineTuningFullAccess	Krutrim Fine Tuning Full Access Policy	Fine-Tuning
finetuning	KFineTuningReadOnlyAccess	Krutrim Fine Tuning Read Only Access Policy	Fine-Tuning
finetuning	KFineTuningReadWriteAccess	Krutrim Fine Tuning Read Write Access Policy	Fine-Tuning
iam	KIAMFullAdminAccessAllResources	Krutrim Centralized IAM Full Access Policy across all IAM resources	Users, Groups, Roles, Policies, Association Between Users/Groups/Roles/Policies
iam	KIAMReadOnlyAccessAllResources	Krutrim Centralized IAM Read Only Access Policy across all IAM resources	Users, Groups, Roles, Policies, Association Between Users/Groups/Roles/Policies
iam	KIAMReadWriteOnlyAccessAllResources	Krutrim Centralized IAM Read Write Access Policy across all IAM resources	Users, Groups, Roles, Policies, Association Between Users/Groups/Roles/Policies
iam	KIAMGroupManagerAccess	Krutrim Centralized IAM Group Management Access Policy	Groups
iam	KIAMGroupReadOnlyAccess	Krutrim Centralized IAM Group Read Only Access Policy	Groups
iam	KIAMGroupReadWriteAccess	Krutrim Centralized IAM Group read Write Access Policy	Groups
iam	KIAMMappingManagerAccess	Krutrim Centralized IAM User/Group/Role/Policies Association Full Access Policy	Association Between Users/Groups/Roles/Policies
iam	KIAMMappingReadOnlyAccess	Krutrim Centralized IAM User/Group/Role/Policies Association Read Only Access Policy	Groups
iam	KIAMMappingReadWriteAccess	Krutrim Centralized IAM User/Group/Role/Policies Association Read Write Access Policy	Groups
iam	KIAMPolicyManagerAccess	Krutrim Centralized IAM Policy Management Access Policy	Policies
iam	KIAMPolicyReadOnlyAccess	Krutrim Centralized IAM Policy Read Only Access Policy	Policies
iam	KIAMPolicyReadWriteAccess	Krutrim Centralized IAM Policy Read Write Access Policy	Policies
iam	KIAMRoleManagerAccess	Krutrim Centralized IAM Role Management Access Policy	Roles
iam	KIAMRoleReadOnlyAccess	Krutrim Centralized IAM Role Read Only Access Policy	Roles
iam	KIAMRolereadWriteAccess	Krutrim Centralized IAM Role Read write Access Policy	Roles
iam	KIAMUserManagerAccess	Krutrim Centralized IAM User Management Full Access Policy	Users
iam	KIAMUserReadOnlyAccess	Krutrim Centralized IAM User Read Only Access Policy	Users
iam	KIAMUserReadWriteAccess	Krutrim Centralized IAM User Read Write Access Policy	Users
inference	KInferenceFullAccess	Krutrim Inference Full Access Policy	Inference
inference	KInferenceReadOnlyAccess	Krutrim Inference Read Only Access Policy	Inference
inference	KInferenceReadWriteAccess	Krutrim Inference Read Write Access Policy	Inference
kbs	KBlockStorageFullAccess	Krutrim Block Storage Full Access Policy	Block Storage
kbs	KBlockStorageReadOnlyAccess	Krutrim Block Storage Read Only Access Policy	Block Storage
kbs	KBlockStorageReadWriteAccess	Krutrim Block Storage Read Write Access Policy	Block Storage
kcm	KCertManagerFullAccess	Krutrim Certificate Manager Full Access Policy	Certificates
kcm	KCertManagerReadOnlyAccess	Krutrim Certificate Manager Read Only Access Policy	Certificates
kcm	KCertManagerReadWriteAccess	Krutrim Certificate Manager Read Write Access Policy	Certificates
kks	KKSFullAccess	Kubernetes Full Access Policy	Kubernetes Cluster
kks	KKSReadAccess	Kubernetes Read Only Access Policy	Kubernetes Cluster
kks	KKSWriteAccess	Kubernetes Read and Write only Access Policy	Kubernetes Cluster
kos	KObjectStorageAccessKeyFullAccess	Krutrim Access Key Full Access Policy	KOS Access Keys, KOS Buckets, KOS Objects, KOS Regions
kos	KObjectStorageFullAccess	Krutrim Object Storage Full Access Policy	KOS Access Keys, KOS Buckets, KOS Objects, KOS Regions
kos	KObjectStorageReadOnlyAccess	Krutrim Object Storage Read Only Access Policy	KOS Access Keys, KOS Buckets, KOS Objects, KOS Regions
kos	KObjectStorageReadWriteAccess	Krutrim Object Storage Read Write Access Policy	KOS Access Keys, KOS Buckets, KOS Objects, KOS Regions
kpod	KKPodFullAccess	Krutrim KPod Full Access Policy	Kpods (AI Pods)
kpod	KKPodReadOnlyAccess	Krutrim KPod Read Only Access Policy	Kpods (AI Pods)
kpod	KKPodReadWriteAccess	Krutrim KPod Read Write Access Policy	Kpods (AI Pods)
loadbalancer	KLoadBalancerFullAccess	Krutrim Load Balancer Full Access Policy	Load Balancers, Target Groups, Listeners, Health Monitors, Rules, Members
loadbalancer	KLoadBalancerReadOnlyAccess	Krutrim Load Balancer Read Only Access Policy	Load Balancers, Target Groups, Listeners, Health Monitors, Rules, Members
loadbalancer	KLoadBalancerReadWriteAccess	Krutrim Load Balancer Read Write Access Policy	Load Balancers, Target Groups, Listeners, Health Monitors, Rules, Members
maas	KMAASApiKeyManagerAccess	Krutrim MAAS API Key Full Access Policy	MaaS API Keys
maas	KMAASApiKeyReadOnlyAccess	Krutrim MAAS API Key Read Only Access Policy	MaaS API Keys
maas	KMAASApiKeyReadWriteAccess	Krutrim MAAS API Key Read Write Access Policy	MaaS API Keys
maas	KMAASFullAccess	Krutrim MAAS Full Access Policy	MaaS MaaS API Keys
maas	KMAASReadOnlyAccess	Krutrim MAAS Read Only Access Policy	MaaS MaaS API Keys
maas	KMAASReadWriteAccess	Krutrim MAAS Read Write Access Policy	MaaS MaaS API Keys
modelRegistry	KModelRegistryFullAccess	Krutrim Model Registry Full Access Policy	Model Registry
modelRegistry	KModelRegistryReadOnlyAccess	Krutrim Model Registry Read Only Access Policy	Model Registry
modelRegistry	KModelRegistryReadWriteAccess	Krutrim Model Registry Read Write Access Policy	Model Registry
securityGroup	KSecurityGroupFullAccess	Security Group Full Access Policy	Security Groups
securityGroup	KSecurityGroupReadAccess	Security Group Read Only Access Policy	Security Groups
securityGroup	KSecurityGroupWriteAccess	Security Group Read and Write only Access Policy	Security Groups
sshkeys	KSSHFullAccess	Krutrim SSH Full Access Policy	SSH Keys
sshkeys	KSSHReadOnlyAccess	Krutrim SSH Read Only Access Policy	SSH Keys
sshkeys	KSSHReadWriteAccess	Krutrim SSH Read Write Access Policy	SSH Keys
vm	KVMFullAccess	Krutrim VM Full Access Policy	Virtual Machines
vm	KVMReadOnlyAccess	Krutrim VM Read Only Access Policy	Virtual Machines
vm	KVMReadWriteAccess	Krutrim VM Read Write Access Policy	Virtual Machines
vpc	KVPCFullAccess	Krutrim VPC Full Access Policy	VPC, Subnets, Security Groups, Static IPs
vpc	KVPCReadOnlyAccess	Krutrim VPC Read Only Access Policy	VPC, Subnets, Security Groups, Static IPs
vpc	KVPCReadWriteAccess	Krutrim VPC Read Write Access Policy	VPC, Subnets, Security Groups, Static IPs

{% hint style="success" %} **The service names in the list above are the exact ones that can be used when accessing IAM programmatically** {% endhint %} *** #### Custom Policies Custom (customer-managed) policies are defined and maintained by users that grant fine-grained, reusable permissions to identities while enforcing the principle of least privilege. Characteristics: * Created and maintained by the Root or IAM users (if permission given) * Can be edited or deleted ### Policy JSON Examples #### Example 1: Full Access Default Policy ``` { "name": "KBlockStorageFullAccess", "description": "Krutrim Block Storage Full Access Policy", "statements": [ { "service": "kbs", "resource": "*", "operation": "*", "effect": "allow" } ] } ``` {% hint style="info" %} The policy above allows: * All CRUD operations on all KBS (Krutrim Block Storage) resources {% endhint %} *** #### Example 2: Read Only Access Default Policy ``` { "name": "KASGReadOnlyAccess", "description": "Krutrim ASG Read Only Access Policy", "statements": [ { "service": "asg", "resource": "*", "operation": "read", "effect": "allow" } ] } ``` {% hint style="info" %} The policy above allows: * Allows only read operations on all ASG (Auto Scaling Group) resources * No create, update, or delete permissions {% endhint %} *** #### Example 3: Custom Policy (Explicit Deny) ``` { "name": "VPCFullAccessAllowAndKBSDeny", "description": "Allow full access to all VPC resource and deny KBS resource", "statements": [ { "service": "vpc", "resource": "*", "operation": "*", "effect": "allow" }, { "service": "kbs", "resource": "*", "operation": "*", "effect": "deny" } ] } ``` {% hint style="info" %} The policy above allows: * Create, read, update and delete operations on all VPC resources * Explicitly denies all access to Block Storage (KBS) resources {% endhint %} *** #### Example 4: Custom Policy - Allow Kubernetes (KKS) Cluster Creation ``` { "Name": "FullKKSCluserAccess", "Description": "Allow to manage KKS clusters", "Statements": [ { "Service": "kks", "Resource": "*", "Operation": "*", "Effect": "allow" }, { "Service": "vpc", "Resource": "*", "Operation": "create,read,update", "Effect": "allow" } ] } ``` {% hint style="info" %} The policy above allows: * Create, read, update and delete operations on all KKS resources * Allows create, read, and update operations on all VPC resources
{% endhint %} {% hint style="warning" %} **To allow IAM users to create any resource, the root user needs to ensure that the IAM user is given all permissions to access / view the other services which are required to create the main resource, for example:** To allow an IAM user to create a Kubernetes (KKS) cluster, the necessary KKS permissions must be supplemented with permissions for other services. Specifically, during the KKS cluster creation process, the user needs the ability to view and select supporting resources, such as those related to VPC. {% endhint %} ### Next Steps * Attach policies to roles * Assign roles to users or groups * Use groups to scale access * Review custom operations for fine-grained control --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloud.olakrutrim.com/basics/identity-access-management/policies.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.