By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Isolate access to lambda, buckets & DynamoDB tables based on names

0

Hi, I need to provide access to 2 sets of users to 2 sets of lambdas, S3 buckets, DynamoDB tables within the same region and account. i.e. Within the us-east-1, i have 2 sets of users and have 2 sets of lambda, s3 buckets & DynamoDB tables which are named differently - one set has names starting with xx-aa.... and another set has names starting with xx-bb.... I was checking on how to configure 2 IAM roles based on resource ARNs. But according to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html the following ARNs are not used - arn:aws:s3::123456789012:xx-aa* arn:aws:s3::123456789012:xx-bb*

Please let me know how I can create a IAM role to isolate the 2 sets of users to their respective set of lambdas, buckets and DynamoDB tables based on the names.

Thanks in advance.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
Ed
asked 10 months ago203 views
1 Answer
0

Hi Thanks for your answer Based on the IAM Condition Keys, one way to achieve this is to have an iam:ResourceTag and match it with the tag of each resource. But there does not seem to be a way to match the resource name or ARN. Please clarify if that is what you meant.

Thanks again.

Ed
answered 10 months ago
  • Andrew Langford
    10 months ago

    Hello, deleted the original answer as I misread your original question. Can you elaborate a little more on what you are attempting to achieve? is there a reason you wouldn't want to be explicit when adding the ARNs to your policy rather than using a wild card?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content