How do I restrict AWS secret by Lambda alias?

0

I want to have a QA secret and a Production secret, and I want a Lambda QA alias to only be able to access the QA secret, and likewise with the Lambda Production alias and the Production secret.

Each Lambda function alias uses a single execution role, set at the function level. So any IAM policies attached to this role would apply to all aliases. This means that the QA alias lambda could access the Production secret. So an execution-role based policy does not appear to be the answer.

I am trying to understand how to apply resource-based policies to the secrets, but it appears that I cannot choose the Principal to be a fully-qualified ARN to the Lambda alias. Is it possible to do this?

Unless I am misusing these systems, it seems impossible to keep secrets separate and secure with Lambda aliases.

3 個答案
2

I am not sure if it is possible or not, but I would recommend that you do not use aliases for this purpose but rather separate into two (or more) different environments. At least dev and prod. This way you reduce the blast radius of mistakes happening in your dev account, e.g., consuming all account's concurrency which may affect production.

profile pictureAWS
專家
Uri
已回答 2 年前
profile picture
專家
已審閱 1 個月前
  • Your point about blast radius is a good one. However, I'm not ready to move to that architecture yet, but would like to increase security. iwasa had an interesting discovery in the second part of their answer, which is that execution roles can be changed at a per-version level. I'm already changing the docker image per-version when I deploy, so adding this is not much more work, and it enables what I am looking for.

1
已接受的答案

Hi.

I saw this question and tried various things.
But I couldn't.

Unfortunately, neither Lambda's Execution Role nor Secret's Rolebase Policy seem to be able to include a specific ARN (eg alias) as a condition.

If you want to limit with IAM roles, I think you should separate QA and Production at the function level and above, as @Uri advises.

Alternatively, Lambda has a different Execution role for each version.
You can indirectly separate roles if the alias points to another version.
This also enables role-based secret access control.

profile picture
專家
iwasa
已回答 2 年前
profile picture
專家
已審閱 1 個月前
  • Interesting! I didn't realize that the Lambda roles are inherited/instantiated similar to how the container image on a Lambda is changed: you change it at the function level, then create a new version from that function template. In theory, I could do the same thing: change the role AND the docker image, then create the new version from that function template, then re-point the alias. Since this actually solves the question that I had, I'm marking this as the answer, though Uri does make good points about blast radius.

0

If you need to restrict secrets to certain functions, you need to create a new role. You can't restrict by alias IIUC.

{
  "Effect": "Allow",
  "Action": ["secretsmanager:GetSecretValue"],
  "Resource": "arn:aws:secretsmanager:ap-southeast-1:${ACCOUNT_ID}:secret:/${ENVIRONMENT}/secretA"
},

Typically each role would have some ${ENVIRONMENT} variable in it too btw, usually isolated to an account.

kai
已回答 2 年前
  • That won't work, since a Lambda function's role applies to all of its aliases. Giving that role access to a production secret would allow the QA lambda to access it too.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南