11 June,2024 by Rambler
Question: What IAM changes need to occur to deny certain roles having restore privileges for RDS , DynamoDB & DynamoDB ? This relates to Deny restores from the service native backups , not for backups taken by AWS Backup
Answer: To cover the restore functionality on RDS , DynamoDB, & DocumentDB , these are the Actions on each particular service requiring Deny. Please review each one and decide on whether a Deny is warranted and will be typically defined by the Organization Security and Operation Standards .
Here is a brief description of every action
rds:RestoreDBInstanceFromDBSnapshot - Grants permission to create a new DB instance from a DB snapshot
rds:RestoreDBInstanceToPointInTime - Grants permission to restore a DB instance to an arbitrary point in time
rds: RestoreDBClusterFromS3 - Grants permission to create an Amazon Aurora DB cluster from data stored in an Amazon S3 bucket
dynamodb:RestoreTableFromAwsBackup - Grants permission to create a new table from recovery point on AWS Backup
dynamodb:RestoreTableFromBackup - Grants permission to create a new table from an existing backup
dynamodb:RestoreTableToPointInTime - Grants permission to restore a table to a point in time
rds:RestoreDBClusterFromSnapshot - Grants permission to create a new DB cluster from a DB cluster snapshot
rds:RestoreDBClusterToPointInTime - Grants permission to restore a DB cluster to an arbitrary point in time
Some sample detail of a Policy document is JSON format .
"Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "rds:RestoreDBInstanceFromDBSnapshot", "rds:RestoreDBInstanceToPointInTime",
"rds: RestoreDBClusterFromS3", "dynamodb:RestoreTableFromBackup", "dynamodb:RestoreTableToPointInTime",
"dynamodb:RestoreTableFromAwsBackup" "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime"
], "Resource": "*" } ] }
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |