IAM role/policy restrictions

0

Hi Team. I'm working on cross accounts, so i have a lambda function which delete the log group which doesn't have any retention period to it. I'm assuming the role from other aws account using sts_connection = boto3.client('sts') in my lambda code. I need a restriction rule to this role to just pick up a single lambda function i.e my lambda and not by the other lambda functions. As of now i have policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:::" ] } ] } Lambda Basic execution: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "" } ] } TRUST RELATIONSHIP: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Acc_id>:root", "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } Kindly provide a solution to this as the plicy needs to be updated or conditions needs to be applied for the above policy, Thanks!

3 回答
0

Hi. Agree with Gupta. In addition, policy will like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/Owner": "Hoge"
                }
            }
        }
    ]
}
profile picture
专家
已回答 10 个月前
  • The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that

  • The lambda function will validate all log group available and will delete the logs groups which dont have any retention period to it. Need a condition statement for that

    This is not just for a lambda log group but for all log groups

  • Hi. Check another answer I posted.

0

To restrict the IAM role to only allow deletion of the specific Lambda function's log group, you can add a condition to the existing IAM policy. You can use the aws:ResourceTag condition to limit the DeleteLogGroup action to log groups that have a specific tag applied, and then apply that tag to the log group you want to allow deletion for.

已回答 10 个月前
profile picture
专家
已审核 10 个月前
0

Unfortunately, as far as I can tell from the official documentation of the condition keys supported by the Cloudwatch Logs policy statement, it is not possible to specify such detailed conditions for log groups that do not have a Retention Period.

Amazon CloudWatch Logs defines the following condition keys that can be used in the Condition element of an IAM policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys

https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table

If the Lambda log group you are creating is the only one with a specific prefix, you can specify it in the resource section as arn:aws:logs:us-east-1::log-group:${LogGroupPrefix}, etc. to restrict it to some extent, though not completely.. If you want complete control, you will need to specify the full arn in the resource section.

profile picture
专家
已回答 10 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容