使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Isolate access to lambda, buckets & DynamoDB tables based on names

0

Hi, I need to provide access to 2 sets of users to 2 sets of lambdas, S3 buckets, DynamoDB tables within the same region and account. i.e. Within the us-east-1, i have 2 sets of users and have 2 sets of lambda, s3 buckets & DynamoDB tables which are named differently - one set has names starting with xx-aa.... and another set has names starting with xx-bb.... I was checking on how to configure 2 IAM roles based on resource ARNs. But according to https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html the following ARNs are not used - arn:aws:s3::123456789012:xx-aa* arn:aws:s3::123456789012:xx-bb*

Please let me know how I can create a IAM role to isolate the 2 sets of users to their respective set of lambdas, buckets and DynamoDB tables based on the names.

Thanks in advance.

主題
安全性、身分識別與合規
標籤
AWS Identity and Access ManagementIAM 政策
語言
English
Ed
已提問 10 個月前檢視次數 209 次
1 個回答
0

Hi Thanks for your answer Based on the IAM Condition Keys, one way to achieve this is to have an iam:ResourceTag and match it with the tag of each resource. But there does not seem to be a way to match the resource name or ARN. Please clarify if that is what you meant.

Thanks again.

Ed
已回答 10 個月前
  • Andrew Langford
    10 個月前

    Hello, deleted the original answer as I misread your original question. Can you elaborate a little more on what you are attempting to achieve? is there a reason you wouldn't want to be explicit when adding the ARNs to your policy rather than using a wild card?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容