Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Isolate access to lambda, buckets & DynamoDB tables based on names

0

Hi, I need to provide access to 2 sets of users to 2 sets of lambdas, S3 buckets, DynamoDB tables within the same region and account. i.e. Within the us-east-1, i have 2 sets of users and have 2 sets of lambda, s3 buckets & DynamoDB tables which are named differently - one set has names starting with xx-aa.... and another set has names starting with xx-bb.... I was checking on how to configure 2 IAM roles based on resource ARNs. But according to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html the following ARNs are not used - arn:aws:s3::123456789012:xx-aa* arn:aws:s3::123456789012:xx-bb*

Please let me know how I can create a IAM role to isolate the 2 sets of users to their respective set of lambdas, buckets and DynamoDB tables based on the names.

Thanks in advance.

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
Ed
gefragt vor 10 Monaten209 Aufrufe
1 Antwort
0

Hi Thanks for your answer Based on the IAM Condition Keys, one way to achieve this is to have an iam:ResourceTag and match it with the tag of each resource. But there does not seem to be a way to match the resource name or ARN. Please clarify if that is what you meant.

Thanks again.

Ed
beantwortet vor 10 Monaten
  • Andrew Langford
    vor 10 Monaten

    Hello, deleted the original answer as I misread your original question. Can you elaborate a little more on what you are attempting to achieve? is there a reason you wouldn't want to be explicit when adding the ARNs to your policy rather than using a wild card?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt