By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Is there a way to limit the visibility of listings on AWS services using permissions?

0

Hello people! I'd be extremely grateful if anyone could tell me whether it is possible to stop an user from viewing all the created services in a region by using IAM policies. For example, let's say that I want the user to be able to see only one or two lambda functions or SQS queues in the listing instead of all of them, how would I do it? I know that permisons like DescribeQueues are only allowed for all resources and I haven't been able to find anything about restricting it.

asked a year ago344 views
1 Answer
1
Accepted Answer

Hello. In AWS Identity and Access Management (IAM), you can use policies to control what actions a user or role can perform on AWS resources, but IAM policies are typically not used to filter or limit the specific resources that are visible to a user. IAM policies focus on granting or denying permissions for actions on resources, rather than controlling which resources are visible in a listing. Because in most cases you must provide a List of permissions on all resources contained in one AWS service.

However, if you want to restrict a user's ability to list or access specific AWS resources (e.g., Lambda functions or SQS queues) while allowing access to others, you can use resource-based policies and service-specific mechanisms to achieve this.

For example use "Conditions":

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "lambda:ListFunctions",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function/allowed-function",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Environment": "Production"
        }
      }
    }
  ]
}

Best regards, Andrii

profile picture
EXPERT
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
profile picture
EXPERT
reviewed a year ago
  • I'm grateful for the answer, though I'm also saddened to know there's no way to control the visibility of the items more granularly. Anyway, thank your for the quick response!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions