Profile Applicability:

  • Level 1

Description:
 AWS Identity and Access Management (IAM) should be used to control access to AWS-managed database services, such as DynamoDB. IAM enables you to create and manage users, groups, and roles and to assign fine-grained permissions to securely access resources.

Rationale:
 IAM allows you to enforce the principle of least privilege and protect sensitive resources by restricting access based on identity and role. Without IAM, access to database resources may be overly permissive, increasing the risk of unauthorized data access or modification.

Impact:
 Pros:

  • Enables fine-grained access control to database resources

  • Prevents unauthorized data access or modification

  • Helps achieve compliance and audit requirements

Cons:

  • Requires configuration and periodic review

  • Misconfigured policies can inadvertently restrict legitimate access

Default Value:
 IAM permissions must be explicitly created and applied. By default, no access is granted.

Pre-requisites:

  • IAM permissions to create and manage users, roles, and policies

  • Knowledge of required access patterns and database resources

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to the AWS Console

  2. Navigate to IAM > Users, Roles, or Policies

  3. Identify users or roles associated with database services (e.g., DynamoDB)

  4. Verify that IAM policies are in place and grant only necessary permissions

  5. Ensure the policies are scoped to specific actions and resources (e.g., table-level access)

Using AWS CLI:

  1. List attached policies for a specific user:

     aws iam list-attached-user-policies --user-name <user-name>

  2. Retrieve a specific policy document:

     aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

  3. List roles with attached policies:

     aws iam list-roles

  4. Review inline policies for a role:

     aws iam list-role-policies --role-name <role-name>

Implementation Plan

Using AWS Console:

  1. Sign in to the AWS Console

  2. Navigate to IAM > Policies > Create Policy

  3. Choose Service as DynamoDB

  4. Select specific Actions such as GetItemPutItemScan, etc.

  5. Choose Resources and specify the database table(s)

  6. Click Next, name the policy, and create it

  7. Go to Users or Roles, select the appropriate identity

  8. Click Add permissions > Attach policies directly

  9. Attach the newly created policy

Using AWS CLI:

  1. Create a policy file Create the IAM policy:

    aws iam create-policy --policy-name DynamoDBAccessPolicy --policy-document file://dynamodb-access-policy.json

  2. Attach the policy to a user:

    aws iam attach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBAccessPolicy

  3. Or attach to a role:

    aws iam attach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBAccessPolicy

Backout Plan

Using AWS Console:

  1. Navigate to IAM > Users or Roles

  2. Select the identity from which the policy should be removed

  3. Click Permissions > Detach policies

  4. Uncheck the policy and click Remove

Using AWS CLI:

  1. Detach the policy from a user:

    aws iam detach-user-policy --user-name <user-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBAccessPolicy

  2. Detach the policy from a role:

    aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBAccessPolicy

  3. Optionally delete the policy:

     aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBAccessPolicy

References: