- 新しい順
- 投票が多い順
- コメントが多い順
Hi all,
we ended up using the following SCP :
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"ArnNotLikeIfExists": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/*"
]
},
"Bool": {
"aws:PrincipalIsAWSService": "false"
}
}
}]
}
unfortunately, checks like aws:PrincipalIsAWSService or aws:ViaAWSService wont work for AWS Services that uses a IAM Role to operate on DynamoDB like Lambda or an EC2 Instance
Hi Peter,
Thought I never used it myself, you can try to use the ViaAwsService as condition.
Below example exactly denies IPs from range BUT does not deny requests made by AWS services using the principal's credentials.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html
Edit: aws:CalledVia could be evaluated too.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
Hope it helps ;)
You can use the IAM PrincipalIsAWSService
key to check if the action is being performed by an AWS service principal, such as lambda.amazonaws.com
.
More information here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalisawsservice.
it should work for services like cloudtrail.amazonaws.com which uses a service prinicpal to call other services. but for DynamoDB most common cases for example Lambda or an EC2 instance this won't work actually as mentioned in the documentation : "It is also set to false if the service uses a service role or service-linked role to make a call on the principal's behalf"
関連するコンテンツ
- AWS公式更新しました 7ヶ月前
Thanks for the response, Unfortunately this will work only if the call was made by a User Principal, such as a IAM User, In this case though, it is the Lambda service itself (Service Principal) which is making the call to DynamoDB (programmatically). More precisely, it's Lambda's execution role that is making api calls to dynamodb.
Hey Peter updated my answer if this can help you via aws called via: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html. Let me know