By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue restraining access to a single environment on AppConfig using IAM Policy

0

Hello, For a while now I'm trying to restrict write access to a specific environment under AppConfig but it doesn't seem to work. I get access denied on "dev" environment. I have checked with the reference for appconfig (https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html). I want to allow developers to be able to start a deployment only on dev environment but not on prod. Here is the policy I am using.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "appconfig:StartDeployment",
            "Resource": [
                "arn:aws:appconfig:*:ACCOUNT-ID:deploymentstrategy/*",
                "arn:aws:appconfig:*:ACCOUNT-ID:application/*/environment/*",
                "arn:aws:appconfig:*:ACCOUNT-ID:application/*/configurationprofile/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/environment": "dev"
                }
            }
        }
    ]
}
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS AppConfigIAM Policies
Language
English
jjghali
asked a year ago140 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content