By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP add exception for AWS Services

0

Hi,

We are trying to setup a SCP which will deny some DynamoDB actions based on the **IP Ranes ** of our Network, the way that IAM Users for example can't Scan or Query a DynamoDB table outside of our Network.

In this SCP we need to add an exception to some AWS Services (Like: EC2 or Lambda) which can freely Query/Scan a DynamoDB table if they have the necessary permissions.

We tried with the following SCP and it worked fine for the first case "IAM Users" but failed for the Lambda case as we still recieving an AccessDenied Error trying to Query a DynamoDB table from a Lambda Function :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "dynamodb:*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:ViaAWSService": "false"
        },
        "NotIpAddress": {
          "aws:SourceIp": [
            "IP Range"
          ]
        }
      }
    }
  ]
}

Do you know how we can manage to add this exception for all AWS Services which need to perform any DynamoDB action without the need to use the ARN of specific IAM Role used by these service ?

Topics
ServerlessComputeSecurity, Identity, & ComplianceDatabaseAWS Well-Architected Framework
Tags
AWS LambdaAWS Identity and Access ManagementAmazon DynamoDBSecurityIAM Policies
Language
English
profile picture
Peter Eskandar
asked a year ago652 views
3 Answers
0
Accepted Answer

Hi all,

we ended up using the following SCP :

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Deny",
		"Action": "dynamodb:*",
		"Resource": "*",
		"Condition": {
			"ArnNotLikeIfExists": {
				"aws:PrincipalArn": [
					"arn:aws:iam::*:role/*"
				]
			},
			"Bool": {
				"aws:PrincipalIsAWSService": "false"
			}
		}
	}]
}

unfortunately, checks like aws:PrincipalIsAWSService or aws:ViaAWSService wont work for AWS Services that uses a IAM Role to operate on DynamoDB like Lambda or an EC2 Instance

profile picture
Peter Eskandar
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
0

Hi Peter,

Thought I never used it myself, you can try to use the ViaAwsService as condition.

Below example exactly denies IPs from range BUT does not deny requests made by AWS services using the principal's credentials.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html

Edit: aws:CalledVia could be evaluated too.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

Hope it helps ;)

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
0

You can use the IAM PrincipalIsAWSService key to check if the action is being performed by an AWS service principal, such as lambda.amazonaws.com.

More information here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalisawsservice.

AWS
MattK
answered a year ago
profile pictureAWS
EXPERT
kentrad
reviewed a year ago
  • Peter Eskandar
    a year ago

    it should work for services like cloudtrail.amazonaws.com which uses a service prinicpal to call other services. but for DynamoDB most common cases for example Lambda or an EC2 instance this won't work actually as mentioned in the documentation : "It is also set to false if the service uses a service role or service-linked role to make a call on the principal's behalf"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content