AWS: 无法使用”dynamodb:LeadingKeys”条件来控制对DynamoDB中GSI的访问

huangapple go评论57阅读模式
英文:

AWS: Unable to use the "dynamodb:LeadingKeys" condition to control access to a GSI in DynamoDB

问题

我一直在参考AWS的这些博客文章,以实现在DynamoDB中实现租户数据隔离。我制定了以下附加到用于访问我在DynamoDB中创建的表的IAM角色的IAM策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": [
                        "tenant/t001/product/*"
                    ]
                }
            },
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT-NUMBER>:table/<TABLE-NAME>",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": [
                        "tenant/t001/*"
                    ]
                }
            },
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT-NUMBER>:table/<TABLE-NAME>/index/<INDEX-NAME>",
            "Effect": "Allow"
        }
    ]
}

使用此策略,当我传递给表的主键(PartKey1)的分区键的值不遵循tenant/t001/product/*模式时,我被拒绝访问执行PutItem操作。例如,当我如预期地将t002作为租户ID传递给PartKey1时,我被拒绝访问,而应该是t001才能成功执行PutItem操作。

但是,在GSI上的情况不同。它简单地接受我传递给GSI的分区键(PartKey2)的任何值。

然后,我在第二个语句中将dynamodb:PutItem操作更改为仅为dynamodb:Query。因此,新的内联策略将如下所示。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": [
                        "tenant/t001/product/*"
                    ]
                }
            },
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT-NUMBER>:table/<TABLE-NAME>",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": [
                        "tenant/t001/*"
                    ]
                }
            },
            "Action": "dynamodb:Query",
            "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT-NUMBER>:table/<TABLE-NAME>/index/<INDEX-NAME>",
            "Effect": "Allow"
        }
    ]
}

通过这个更改,当我尝试使用不遵循tenant/t001/*模式的值查询GSI时,我被拒绝访问(如预期)。

我无法想出为什么AWS允许在dynamodb:Query条件下使用dynamodb:LeadingKeys(对于GSI),但在dynamodb:PutItem条件下不允许。因为为什么我们会在插入时无法隔离租户数据的情况下,在查询时去麻烦隔离它们呢?

我有遗漏什么吗?

英文:

I have been referring to these blog articles from AWS to implement tenant data isolation in DynamoDB. I came up with the below IAM policy which is attached to the IAM Role going to be used to access the table I've created in DynamoDB.

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Condition&quot;: {
                &quot;ForAllValues:StringLike&quot;: {
                    &quot;dynamodb:LeadingKeys&quot;: [
                        &quot;tenant/t001/product/*&quot;
                    ]
                }
            },
            &quot;Action&quot;: &quot;dynamodb:PutItem&quot;,
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;REGION&gt;:&lt;ACCOUNT-NUMBER&gt;:table/&lt;TABLE-NAME&gt;&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;
        },
        {
            &quot;Condition&quot;: {
                &quot;ForAllValues:StringLike&quot;: {
                    &quot;dynamodb:LeadingKeys&quot;: [
                        &quot;tenant/t001/*&quot;
                    ]
                }
            },
            &quot;Action&quot;: &quot;dynamodb:PutItem&quot;,
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;REGION&gt;:&lt;ACCOUNT-NUMBER&gt;:table/&lt;TABLE-NAME&gt;/index/&lt;INDEX-NAME&gt;&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;
        }
    ]
}

With this, I was denied access to perform PutItem on the table when the value I passed for the Partition Key (PartKey1) of the table's Primary Key is NOT following the pattern tenant/t001/product/*. For example, I was denied access when I passed tenant/t002/product/p001 to PartKey1 as expected. Because I'm giving t002 as the tenant id, which should have been t001 to successfully perform PutItem.

But, it was not the same with the GSI. It simply accepts any value I pass into the Partition Key of the GSI (PartKey2).

Then I changed the dynamodb:PutItem action to dynamodb:Query ONLY in the second statement. So the new inline policy would look like this.

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Condition&quot;: {
                &quot;ForAllValues:StringLike&quot;: {
                    &quot;dynamodb:LeadingKeys&quot;: [
                        &quot;tenant/t001/product/*&quot;
                    ]
                }
            },
            &quot;Action&quot;: &quot;dynamodb:PutItem&quot;,
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;REGION&gt;:&lt;ACCOUNT-NUMBER&gt;:table/&lt;TABLE-NAME&gt;&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;
        },
        {
            &quot;Condition&quot;: {
                &quot;ForAllValues:StringLike&quot;: {
                    &quot;dynamodb:LeadingKeys&quot;: [
                        &quot;tenant/t001/*&quot;
                    ]
                }
            },
            &quot;Action&quot;: &quot;dynamodb:Query&quot;,
            &quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;REGION&gt;:&lt;ACCOUNT-NUMBER&gt;:table/&lt;TABLE-NAME&gt;/index/&lt;INDEX-NAME&gt;&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;
        }
    ]
}

With this change, I was denied access (as expected) when I tried to query the GSI with a value that doesn't follow the pattern tenant/t001/*, for example, tenant/t002/product.

I couldn't think of any reason why would AWS allow the use of dynamodb:LeadingKeys (for a GSI) in conditions when it is dynamodb:Query but not with dynamodb:PutItem. Because why would we go into trouble of isolating tenant data in Query time, when we cannot isolate them during the insertion?

Am I missing something here?

AWS blog articles, documentations:

答案1

得分: 1

你不能对 GSI(或 LSI)执行 PutItem 操作...

因此,在你的原始策略中:

"Action": "dynamodb:PutItem",
"Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT-NUMBER>:table/<TABLE-NAME>/index/<INDEX-NAME>",
"Effect": "Allow"

没有任何效果...

英文:

You can't PutItem to GSI (or LSI) ...

So in your original policy

&quot;Action&quot;: &quot;dynamodb:PutItem&quot;,
&quot;Resource&quot;: &quot;arn:aws:dynamodb:&lt;REGION&gt;:&lt;ACCOUNT-NUMBER&gt;:table/&lt;TABLE-NAME&gt;/index/&lt;INDEX-NAME&gt;&quot;,
&quot;Effect&quot;: &quot;Allow&quot;

Has zero effect...

huangapple
  • 本文由 发表于 2023年2月9日 01:28:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/75389578.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定