Reputation: 41
AWS IAM resource policy and Lambda Role not working
I have a question regarding AWS Lambdas and setting the Access(resource_ policy on AWS Opensearch (using Elasticsearch 6.8 under the hood)
What I want to do is to set up the following access policy on AWS Opensearch. It seems a bit weird, but this is necessary to do it this way for some reasons (I wont go into detail on those yet) (1) I want ALL roles (AWS: ) to be able to everything (es:) EXCEPT for them not to be able to delete anything from my Opensearch instance. In other words I want to prevent them from doing an ESHTTPDelete operation. (2) However, I DO want STILL the Lambda (that has the role arn:aws:iam::123456789:role/testelk-purge-elk-role to be still able to do the ESHTTPDelete.
Therefore, my actual access policy that I have is as follows: (Obviously I have changed the names). This should work, although it is a bit convoluted. HOWEVER, it does not work due to some way that Lambdas are using their execution role that I am not yet understanding. Any ideas or help on this area would be appreciated.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*"
},
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::123456789:role/testelk-purge-elk-role"
]
},
"Action": "es:ESHttpDelete",
"Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*"
}
]
}
The above, I think, should work. However, the error I get when I run the lambda is as follows:
Index logstash-2024.03.28 delete error Authorization Exception :: {"path":"/logstash-2024.03.28","query":{},"statusCode":403,"response":"{"Message":"User: arn:aws:sts::123456789:assumed-role/testelk-purge-elk-role/testelk-purge-elk is not authorized to perform: es:ESHttpDelete with an explicit deny in a resource-based policy"}"}
Upvotes: 0
Views: 277
Answers (1)
Reputation: 12359
Try this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*"
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:ESHttpDelete",
"Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789:role/testelk-purge-elk-role",
}
}
}
]
}
Upvotes: 0
Related Questions
- IAM user policy not filtering lambdas correctly
- How to allow IAM user to access lambda function in another account?
- Assumed role in AWS Lambda, access denied on SSM call
- Accessing Kibana of AWS ElasticSearch by Gateway using AWS IAM
- S3 bucket policy to deny all except a particular AWS service role and IAM role
- Giving access to AWS Lambda service with limited policy
- AWS IAM Role Policy Resource Restriction
- AWS Assume role with EC2 instance IAM role not working