SCP add exception for AWS Services
Hi,
We are trying to setup a SCP which will deny some DynamoDB actions based on the **IP Ranes ** of our Network, the way that IAM Users for example can't Scan or Query a DynamoDB table outside of our Network.
In this SCP we need to add an exception to some AWS Services (Like: EC2 or Lambda) which can freely Query/Scan a DynamoDB table if they have the necessary permissions.
We tried with the following SCP and it worked fine for the first case "IAM Users" but failed for the Lambda case as we still recieving an AccessDenied Error trying to Query a DynamoDB table from a Lambda Function :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"NotIpAddress": {
"aws:SourceIp": [
"IP Range"
]
}
}
}
]
}
Do you know how we can manage to add this exception for all AWS Services which need to perform any DynamoDB action without the need to use the ARN of specific IAM Role used by these service ?
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi all,
we ended up using the following SCP :
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"ArnNotLikeIfExists": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/*"
]
},
"Bool": {
"aws:PrincipalIsAWSService": "false"
}
}
}]
}
unfortunately, checks like aws:PrincipalIsAWSService or aws:ViaAWSService wont work for AWS Services that uses a IAM Role to operate on DynamoDB like Lambda or an EC2 Instance
Hi Peter,
Thought I never used it myself, you can try to use the ViaAwsService as condition.
Below example exactly denies IPs from range BUT does not deny requests made by AWS services using the principal's credentials.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
Edit: aws:CalledVia could be evaluated too.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
Hope it helps ;)
You can use the IAM PrincipalIsAWSService key to check if the action is being performed by an AWS service principal, such as lambda.amazonaws.com.
More information here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalisawsservice.
it should work for services like cloudtrail.amazonaws.com which uses a service prinicpal to call other services. but for DynamoDB most common cases for example Lambda or an EC2 instance this won't work actually as mentioned in the documentation : "It is also set to false if the service uses a service role or service-linked role to make a call on the principal's behalf"
Contenuto pertinente
AWS UFFICIALEAggiornata 3 anni fa- AWS UFFICIALEAggiornata 7 mesi fa
Thanks for the response, Unfortunately this will work only if the call was made by a User Principal, such as a IAM User, In this case though, it is the Lambda service itself (Service Principal) which is making the call to DynamoDB (programmatically). More precisely, it's Lambda's execution role that is making api calls to dynamodb.
Hey Peter updated my answer if this can help you via aws called via: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html. Let me know