英文:
Where can I view the existing permissions of a dynamoDB table?
问题
我试图确认另一个用户设置的现有 DynamoDB 表的权限,但找不到查看它们的位置。
Google 提供了大量关于如何设置权限的文档,但我找不到如何查看现有策略的方法。
我进入了我设置的表,并且知道我已经为它们配置了权限,因为我认为它们可能没有成功设置任何权限,但我也看不到这些现有表上的任何权限。我似乎可以查看其他 AWS 服务的类似权限。
这似乎是一个非常明显需要审查的事情。也许我缺少一个允许我查看这个的通用权限?
英文:
I am attempting to confirm the permissions on an existing dynamoDB table set up by another user, but cannot find where to view them.
Google has provided lots of documentation on exactly how to set permissions up, but I have been unable to find how to view existing policies.
I went into tables I set up and know I've configured permissions for because I thought they might have failed to set up any, but can't see any permissions on those existing tables either. I seem to be able to view similar permissions for other AWS services.
It seems like a really obvious thing to need to review. Perhaps I'm missing a general permission to allow me to view this?
答案1
得分: 2
AWS支持基于身份的策略和基于资源的策略。基于身份的策略附加到IAM用户、组或角色。基于资源的策略附加到AWS资源,但并非所有AWS资源类型都支持基于资源的策略(例如,S3存储桶和KMS密钥支持,但DynamoDB表不支持)。
通常情况下,IAM身份具有对AWS资源执行操作的权限,您需要查看与这些身份关联的IAM策略,以确定谁可以执行什么操作。
因此,您不会在DynamoDB表本身找到允许访问特定DynamoDB表的IAM身份集的信息。相反,要查找允许相关DynamoDB权限的IAM策略,然后确定这些策略适用于哪些IAM主体。
对于那些支持基于资源的策略的资源,它们分为两类:
- 资源策略可以单方面允许对底层资源的访问(例如,S3存储桶可以允许同一AWS帐户中的IAM用户访问存储桶,而IAM用户本身并不具备该权限)。
- 资源策略允许一个IAM身份,但该身份本身必须独立具有相关权限;这是一种双边授权,其中身份具有权限,但资源的所有者还必须明确授权该身份访问该资源(KMS密钥是一个示例)。
我不知道有任何简单的方法来确定谁可以访问特定的DynamoDB表,但一些可能有用的选项包括:
- 使用历史CloudTrail日志查看实际的DynamoDB使用情况,或者
- 创建脚本来审计您的IAM配置(示例在此)。
英文:
AWS supports Identity-based policies and resource-based policies. Identity-based policies are attached to IAM users, groups, or roles. Resource-based policies are attached to AWS resources, however not all AWS resource types support resource-based policies (S3 buckets and KMS keys do but DynamoDB tables don't, for example).
In the general case, IAM identities have permission to act on AWS resources and you need to review the IAM policies associated with those identities to determine who can do what.
So, you won't find information about the set of IAM identities allowed to access a given DynamoDB table on the table itself. Instead, look for IAM policies allowing the relevant DynamoDB permissions and then identify which IAM principals those policies apply to.
For those resources that do support resource-based policies, they fall into one of two categories:
- the resource policy can unilaterally permit access to the underlying resource (e.g. an S3 bucket can permit an IAM user in the same AWS account to access the bucket, without the IAM user inherently having that permission)
- the resource policy permits an IAM identity that itself must independently have the relevant permission; this is a bilateral authorization where the identity has permission but the owner of the resource must also explicitly authorize that access to that identity (KMS keys are an example)
I'm not aware of any simple way to determine who has access to a specific DynamoDB table, but some potentially useful options include:
- use historical CloudTrail logs to see actual DynamoDB usage, or
- create scripts to audit your IAM configuration (example here)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论