Reputation: 3500
DynamoDB deny access to everyone but administrators and Lambda functions
I have several AWS Lambda functions, each one containing the following aliases (stages): dev, qa and prod.
Each of these functions have some environment variables which should have different values for each alias, but as setting environment variables on an alias level is not supported by Lambda, I've decided to use a DynamoDB table to store the variable values.
Now as these variables contains sensitive information, I would like to make sure that access to this table is as restricted as possible.
So I would like to deny access to everyone and only allow administrators and Lambda functions to access it.
I know that I may provide access to the table by using the appropriate roles/policies on IAM, but how may I make sure that access will only be provided to the users/functions for which I explicitly provided access?
Upvotes: 1
Views: 155
Answers (1)
Reputation: 78583
Take a look at Parameter Store which is hierarchical and will allow you to set permissions per stage (example here) or you can control based on tags (example here).
Or you could package the parameters with the Lambda function upload.
For more ideas, see this article.
Upvotes: 2
Related Questions
- Restrict access to DynamoDB from EC2 instance
- Fine-grained access control for AWS DynamoDB using AWS Cognito
- how can I restrict access to my aws dynamodb
- Deny Access to a DynamoDB table
- Restricting access to DynamoDB using tag key
- Restrict AWS DynamoDB access from particular AWS VPC
- Limiting Lambda Permissions using AWS SAM and DynamoDB
- What is the access control model for DynamoDB?
- How can I control user access to Amazon DynamoDB data via IAM?
- How can I use IAM policies to gain fine-grained access control for DynamoDB?