CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-iamaws-serverlessaws-sam
overexchange
overexchange

Reputation: 1

When/How to use permission boundary in serverless function?

Below SAM template:

  HelloWorldFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: hello-world/
      Handler: app.LambdaHandler
      Runtime: nodejs8.10
      Events:
       MySQSEvent:
        Type: SQS
        Properties:
          Queue: !GetAtt somequeue.Arn
          BatchSize: 10


  somequeue:
    Type: AWS::SQS::Queue

automatically creates default role(JSON) with below policies:

{
    "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAAA",
    "policies": [
    {
    "document": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "sqs:ReceiveMessage",
            "sqs:DeleteMessage",
            "sqs:GetQueueAttributes",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "*"
        }
      ]
    },
    "name": "AWSLambdaSQSQueueExecutionRole",
    "id": "ANPAJFWJZI6JNND4TSELK",
    "type": "managed",
    "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
  },
  {
    "document": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "*"
        }
      ]
    },
    "name": "AWSLambdaBasicExecutionRole",
    "id": "ANPAJNCQGXC42545SKXIK",
    "type": "managed",
    "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
  }
],
"trustedEntities": [
  "lambda.amazonaws.com"
]
}

We need to enforce access rules on specific actions on specific resources(shown below yaml) and deny access to other resources( in log-group ).

1) Do I need to use permission boundary or policy to enforce these below rules? for above SAM template...

- Effect: Allow
Action:
  - "logs:CreateLogGroup"
Resource:
  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"

2)

What is the procedure to create Permission boundary? through SAM template for Lambda function.. because it asks for ARN

Upvotes: 0

Views: 1678

Answers (2)

Martin Löper
Martin Löper

Reputation: 6649

I think you should use a policy.
Permission boundaries is an AWS IAM feature which is mainly designed "to delegate permissions management to trusted employees" (i.e. you want to give some users the possibility to create or manage existing AWS users). [1]

As an administrator which configures the system initially, using permissions with statements that contain Allow and Deny actions should be sufficient to achieve what you want.

Edit:

You can restrict the resource to which permission is granted by the following policy for example:

- Effect: Deny
Action:
  - "logs:CreateLogGroup"
NotResource:
  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"

References

[1] https://aws.amazon.com/de/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/

Upvotes: 1

Matus Dubrava
Matus Dubrava

Reputation: 14482

I would not recommend using permission boundaries in this case. The above mentioned permissions are created by default by SAM. If you need more restrictive permissions then what you can do is to create your own Role and use that Role instead of the one that is automatically created by SAM.

If you use your own Role, SAM will not add additional permissions to it so you can tailor it according to your needs.

Here is an example of how you can do that.

Transform: 'AWS::Serverless-2016-10-31'
Resources:
    ThumbnailFunction:
        Type: 'AWS::Serverless::Function'
        Properties:
            Runtime: nodejs8.10
            Handler: index.handler
            CodeUri: ./src
            Role: !GetAtt FunctionInvokeRole.Arn
            Events:
                MySQSEvent:
                    Type: SQS
                    Properties:
                        Queue: !GetAtt somequeue.Arn
                        BatchSize: 10

    somequeue:
        Type: AWS::SQS::Queue

    FunctionInvokeRole:
        Type: AWS::IAM::Role
        Properties:
            AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                    - Effect: 'Allow'
                      Principal:
                          Service:
                              - 'lambda.amazonaws.com'
                      Action:
                          - 'sts:AssumeRole'
            Policies:
                - PolicyName: 'root'
                  PolicyDocument:
                      Version: '2012-10-17'
                      Statement:
                          - Effect: 'Allow'
                            Action: '*'
                            Resource: '*'

Use Policies attribute in FunctionInvokeRole to specify your own policies.

Upvotes: 2

Related Questions