使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Isolate access to lambda, buckets & DynamoDB tables based on names

0

Hi, I need to provide access to 2 sets of users to 2 sets of lambdas, S3 buckets, DynamoDB tables within the same region and account. i.e. Within the us-east-1, i have 2 sets of users and have 2 sets of lambda, s3 buckets & DynamoDB tables which are named differently - one set has names starting with xx-aa.... and another set has names starting with xx-bb.... I was checking on how to configure 2 IAM roles based on resource ARNs. But according to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html the following ARNs are not used - arn:aws:s3::123456789012:xx-aa* arn:aws:s3::123456789012:xx-bb*

Please let me know how I can create a IAM role to isolate the 2 sets of users to their respective set of lambdas, buckets and DynamoDB tables based on the names.

Thanks in advance.

主题
安全、身份和合规性
标签
AWS 身份和访问权限管理IAM 策略
语言
English
Ed
已提问 10 个月前209 查看次数
1 回答
0

Hi Thanks for your answer Based on the IAM Condition Keys, one way to achieve this is to have an iam:ResourceTag and match it with the tag of each resource. But there does not seem to be a way to match the resource name or ARN. Please clarify if that is what you meant.

Thanks again.

Ed
已回答 10 个月前
  • Andrew Langford
    10 个月前

    Hello, deleted the original answer as I misread your original question. Can you elaborate a little more on what you are attempting to achieve? is there a reason you wouldn't want to be explicit when adding the ARNs to your policy rather than using a wild card?

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容