I implemented lambda function and it's working fine.Can I restrict user to access lambda function by using I AM role? How?
You brought up a good point. Here are things you need to understand about permissions on AWS with Lambda.
What Lambda can do?
This comes under resource-level permissions, create policies or roles and assign it to the lambda. Lambda will have access to those resources.
What a user can do on a Lambda?
This comes under User-Level permissions. As of this writing below screenshot shows the permissions you can control over the lambda. Create a Role and assign it to the user, it will take care of security accordingly.
Hope it helps.
Related
I need to implement an authentication system where a super admin can create multiple different roles with different rights for users. That is, not a system with a set number of roles, but have the option to create as many roles with different combination of rights as the superadmin wants, and then assign them to new users. Also with the option of editing these roles, deleting them etc. I'm fairly new at Node Js. Is this something hard to implement? Are there any articles/videos I can read/watch, to start understanding the process? Where do I start? I'd really appreciate any help. Thank you in advance!
You're thinking about Role-Based Access Control (RBAC). I have actually implemented this in Node.js before, feel free to checkout how I implemented it here: https://github.com/JLCarveth/nodeblog.
It's relatively simple. You need a table for tracking roles. Each role has 0 or more permissions. These permissions can be comma-separated strings, or IDs referencing a permissions table. Each user is then assigned a role.
Each route is protected with a middleware that specifies the needed permissions. If a user accesses this route, check that they have the necessary permissions and continue, reject if not.
Using the AWS SDK I can make a get request and fetch a document, I will then know if I have the IAM access to access the database.
Is there a way to test with the NodeJS AWS SDK to see if I have allow access for the action dynamodb:getItem. Of course I can just write a query but is there a way without me having to spend time writing a meaningless query?
The easiest way I can think of right this moment is to try a simple getItem like you mentioned with a primary key, but do it with the low level API. Then you are not writing a "meaningless query." If I find another way, I'll add it here.
You can simply check through the user's role through console and CLI as well with the get-user-policy command.
CLI Approach:
aws iam get-user-policy --user-name Bob --policy-name ExamplePolicy
With the help of this command, you check the rights you have on that user. For detail look into this DOC.
Console Approach:
Login with AWS Console and Search IAM service
Under the User Section, Search your user whose permission need's to check.
Then in the permission section, you can watch all the permission.
For Privacy and security reasons, I would like to hide my aws lambda function code.
To Disable the following abilities:
The ability to edit lambda code inline.
The ability to download a lambda deployment package
My code is less than 5 MB (So 10 MB concept is ruled-out)
I can't create any IAM role, As most of the admins are superior users than me.
Adding more details
Security Threat - Anyone who has access to the account can modify my
code
Privacy - I don't want other peep into my code unnecessarily
TIA
If there are other users in the same AWS Account that have Admin capabilities, then it is not possible to "protect" your code. They would be able to access and modify the code. (Hopefully you are also keeping your code in a repository for safety and maintenance purposes, so that would need to be protected, too.)
An alternative would be to put the AWS Lambda function into a different AWS Account, then provide cross-account permissions that allow the function to be invoked but not otherwise accessed.
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
Problem
I have a Lambda function in Account 1, which retrieves EC2 instance status.
Similarly, I want to retrieve EC2 instance status in other 4 accounts.
What I did
I Created trust relationship with the other 4 account by updating the IAM role.
Question:
Will my python code (residing in my lambda function in account 1) is enough to retrieve ec2 instance status from the other 4 accounts? or should I do something more ?
Please suggest!
Thanks in advance.
Each AWS Account is separate. You cannot access details of one AWS Account from another AWS Account. However, you can temporarily assume an IAM Role from another account to gain access.
Instead, you will need to:
Create an IAM Role for the central Lambda function (Lambda-Role) and grant it permission to call AssumeRole
Create an IAM Role in each account that you wish to access, grant it permission to call DescribeInstances and configure it to trust Lambda-Role
The Lambda function can then loop through each account and:
Call AssumeRole for that account, which will return temporary credentials
Use those credentials to call DescribeInstances