Micro Manage AWS resources in a multi-team env
What if you have 3 teams working on a common AWS account: let’s say Frontend, Payments and the BlockChain.
And you decided that each of the team can Only access manage, read, list S3, Lambda functions, cloud-front resources specific to there modules.
Essence is:
(Only Lambda function policy example given below; but can be extended over other resources)
- So, if 3 teams are working let’s says on frontend, payments, blockchain
- The admin can define lambda functions with prefix let’s say:
frontend-, payments-, blokchain-
- and than define 3 policies for each of above and as per below prefix based example
- and than attach the required policy with an targeted IAM user
The following shows an example of a permissions policy with limited scope.
It allows a user to create and manage Lambda functions named with a designated prefix (frontend-),
and configured with a designated execution role.
{
“Version”: “2012–10–17”,
“Statement”: [
{
“Sid”: “ReadOnlyPermissions”,
“Effect”: “Allow”,
“Action”: [
“lambda:GetAccountSettings”,
“lambda:GetEventSourceMapping”,
“lambda:GetFunction”,
“lambda:GetFunctionConfiguration”,
“lambda:GetFunctionCodeSigningConfig”,
“lambda:GetFunctionConcurrency”,
“lambda:ListEventSourceMappings”,
“lambda:ListFunctions”,
“lambda:ListTags”,
“iam:ListRoles”
],
“Resource”: “*”
},
{
“Sid”: “DevelopFunctions”,
“Effect”: “Allow”,
“NotAction”: [
“lambda:AddPermission”,
“lambda:PutFunctionConcurrency”
],
“Resource”: “arn:aws:lambda:*:*:function:frontend-*”
},
{
“Sid”: “DevelopEventSourceMappings”,
“Effect”: “Allow”,
“Action”: [
“lambda:DeleteEventSourceMapping”,
“lambda:UpdateEventSourceMapping”,
“lambda:CreateEventSourceMapping”
],
“Resource”: “*”,
“Condition”: {
“StringLike”: {
“lambda:FunctionArn”: “arn:aws:lambda:*:*:function:frontend-*”
}
}
},
{
“Sid”: “PassExecutionRole”,
“Effect”: “Allow”,
“Action”: [
“iam:ListRolePolicies”,
“iam:ListAttachedRolePolicies”,
“iam:GetRole”,
“iam:GetRolePolicy”,
“iam:PassRole”,
“iam:SimulatePrincipalPolicy”
],
“Resource”: “arn:aws:iam::*:role/frontend-lambda-execution-role”
},
{
“Sid”: “ViewLogs”,
“Effect”: “Allow”,
“Action”: [
“logs:*”
],
“Resource”: “arn:aws:logs:*:*:log-group:/aws/lambda/frontend-*”
}
]
}