Skip to content

Fix CRLY.01176: Constrain IAM Write Access#42

Open
curly-review[bot] wants to merge 1 commit intomasterfrom
curly/fix-crly.01176-cfn-dynamodb-tables-f8cc09
Open

Fix CRLY.01176: Constrain IAM Write Access#42
curly-review[bot] wants to merge 1 commit intomasterfrom
curly/fix-crly.01176-cfn-dynamodb-tables-f8cc09

Conversation

@curly-review
Copy link
Copy Markdown

@curly-review curly-review Bot commented May 1, 2025

Issue Details

ID: CRLY.01176
Severity: HIGH
File: sam/cfn/cfn-dynamodb-tables.yaml

Remediation Summary

Description

The IAM policy defined in the provided YAML file allows unrestricted write access to DynamoDB tables and CloudWatch alarms. This poses a security risk as it could lead to unauthorized modifications or deletions. To mitigate this, we need to constrain the IAM policy to only allow write access under specific conditions.

Steps

  1. Identify the IAM policy that needs modification:
    The policy in question is defined in the sam/cfn/cfn-dynamodb-tables.yaml file.

  2. Update the IAM policy to restrict write access:
    We need to add conditions to the policy statements that allow write access only under specific circumstances. For example, we can restrict write access to certain DynamoDB tables or CloudWatch alarms.

  3. Implement the changes programmatically:
    Here's an example of how you can modify the IAM policy using AWS CloudFormation in YAML:

  dynamodbAutoscalingPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: dynamodbAutoscaling
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - dynamodb:DescribeTable
              - cloudwatch:PutMetricAlarm
              - cloudwatch:DescribeAlarms
              - cloudwatch:GetMetricStatistics
              - cloudwatch:SetAlarmState
              - cloudwatch:DeleteAlarms
            Resource: "*"
            Condition:
              StringEquals:
                dynamodb:LeadingKeyElements: ["table-name-condition"]
          - Effect: Allow
            Action:
              - dynamodb:UpdateTable
            Resource: 
              - !GetAtt DynamoDBTable.Arn
            Condition:
              StringEquals:
                dynamodb:TableName: "specific-table-name"
      Roles:
        - !Ref dynamodbAutoscalingRole

In this example:

  • The dynamodb:DescribeTable and cloudwatch:* actions are allowed with a condition that restricts access to a specific table name.
  • The dynamodb:UpdateTable action is allowed only for a specific DynamoDB table.
  1. Deploy the updated IAM policy:
    Ensure that the updated IAM policy is deployed using your CI/CD pipeline. This can be done by updating the CloudFormation stack or using the AWS SDK in your preferred programming language.

By following these steps, you can constrain IAM write access and enhance the security of your AWS resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants