These are the policies attached to Lambda function calling a REST API in API Gateway. I am trying to understand why we need to have two policies like this, e.g. can somebody explain in simple words what does the first policy do? Why we cannot limit everything with the second policy only? If we only need to allow POST to every path under a particular API what else is required? What is difference between "execute-api" resource and "apigateway"?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:account-id:api-id/*/GET/pets"
]
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:POST"
],
"Resource": [
"arn:aws:apigateway:us-east-1:account-id:api-id/*"
]
}
}
There are two types of permissions for API gateway:
For invoking an API. Your first statement allows invoking the API.
For creating and managing an API. Your second statement allows for creating child resources in the API.
You have two policies, because your resources are different for each statement. So your function can both manage the API and invoke it as well.
Related
Here is a role I already declared with a policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:*:<my-account>:my-prefix-*"
}
]
}
When I deploy manually my queue and Lambda (with Trigger) everything is OK (and it is working as expected). However when I deploy with CDK it tries to add a new inline policy which looks exactly the same (without wildcards):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:eu-west-3:<my-account>:my-prefix-MYRESOURCE-CREATED"
}
]
}
My questions:
Why CDK do not detect that policy is the same ?
If it is working as design, is there a way to not include IAM changes ?
I am not referencing to How to skip IAM change confirmation during a cdk deploy? where user wants an auto approval.
Thanks and regards
I assume you are passing a role parameter into your Lambda Function.
If you don't want CDK to automatically add inline policies to this role, you may want to use .without_policy_updates():
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role’s Policies.
If you do, you are responsible for adding the correct statements to the Role’s policies yourself.
I initially tried with all the json policies in the below link.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl
And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
}
]
}
But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"logs:ResourceTag/Team": "Green"
}
}
}
]
}
Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.
But it is able to see the list of other log groups as well
That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.
In this case, you can either not give access at all or give access to list everything.
In api gateway, I have the following resource ARN:
arn:aws:execute-api:us-east-2:XXXXXXXXXXXXX:syx381ecq9/*/GET/members/*
which provides a link to get a list of members based on a class_id - /members/{id}
A user that is in a class can only see the list of members that belong into that class.
I have specified cognito user pool with the following IAM policy (assume that class1 is class_id)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"mobileanalytics:PutEvents",
"cognito-sync:*",
"lambda:*",
"execute-api:*"
],
"Resource": [
"arn:aws:execute-api:us-east-2:XXXXXXXXXXXXX:syx381ecq9/*/GET/members/class1"
]
}
]
}
however, when used the link GET /members/class1, I get the following message:
Execution failed due to configuration error: API Gateway could not determine the callers credentials
I checked in cloudwatch, no log from lambda, therefore I think lambda was not executed.
I continued trying with class2. This time the following message was shown:
User:arn:aws:sts::XXXXXXXXXXXX:assumed-role/Cognito-sample_client1/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-2:********8469:syx381ecq9/sample/GET/inspectors/client2
I have checked in policy stimulate and everything worked fine with message Allowed
I have no idea why I could not call lambda? how can I fix this problem?
Thanks
OK, I found the answer. The above policy only allows calling lambda function for
arn:aws:execute-api:us-east-2:XXXXXXXXXXXXX:syx381ecq9/*/GET/members/class1
therefore, when cognito credential has passed, api will try to call lambda but unfortunately, the policy restricts that. In order to get through it, we need to separate it into another statement like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"mobileanalytics:PutEvents",
"cognito-sync:*",
"execute-api:*"
],
"Resource": [
"arn:aws:execute-api:us-east-2:XXXXXXXXXXXXX:syx381ecq9/*/GET/members/class1"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
}
]
}
we can customized specific lambda's arn if required
I'm trying to allow all EC2 instances in our AWS account to stop themselves (using an automated script that uses the aws cli). I try to do so by creating an AWS IAM role with the propper policy. However, I can't find how to define the policy to only Allow instances to stop itself (and not other instances).
I tried with the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StopInstances"
],
"Resource": [
"${ec2:SourceInstanceARN}"
]
}
]
}
But on validation, this gives me the error This policy contains the following error: The following resources are invalid : ${ec2:SourceInstanceARN}
Is there a way to allow an instance to stop itself (and only itself)? If so, how should I do it?
Shutdown behavior solves the problem with termination but there might be other scenarios that require limited access to API requests (i.e. self tagging). So here's a solution with IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ARN": "${ec2:SourceInstanceARN}"
}
}
}
]
}
As Mark B suggested in the comments, I solved my problem by changing my script to use shutdown rather than aws ec2 stop-instances. This makes the use of any policy needless, as any system can execute shutdown on itself (and only itself).
Currently I have group with a policy that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1449507915000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::artmakeit",
"arn:aws:s3:::artmakeit/*"
]
},
{
"Sid": "ListAllBuckets",
"Action": "s3:ListAllMyBuckets",
"Effect": "Allow",
"Resource": "*"
}
]
}
So, the IAM user, my client, can access his bucket correctly. But I am wondering if I can only let him see his bucket and not the complete list of my buckets. Is there a way to achieve this? I guess I should change the ListAllBuckets permission, but I don't know what to write instead, any ideas?
If users intend to access their buckets via the AWS Management Console, then they require the ListAllBuckets permission.
It is not possible to 'hide' the complete bucket list when using the console -- either they see them all or none at all.
Access via other methods (eg the AWS Command-Line Interface (CLI) or an API call) does not require that this permission be assigned.