iCompaas Support

Profile Applicability:

• Level 1

Description:
 Fine-Grained Access Control (FGAC) restricts access to individual items or attributes within database tables using IAM policy conditions such as dynamodb:LeadingKeys or dynamodb:Attributes. This allows different users or applications to access only the data they are authorized to see.

Rationale:
 FGAC enforces the principle of least privilege at the data level, reducing the risk of unauthorized data exposure. It’s especially critical for multi-tenant applications or sensitive datasets where row-level or attribute-level isolation is required.

Impact:
 Pros:

• Provides granular security controls
  

• Enables tenant or user-specific data access
  

• Reduces lateral access in shared tables
  

Cons:

• Increases complexity in policy authoring and testing
  

• Misconfigured conditions may unintentionally block or allow access
  

Default Value:
 IAM access to DynamoDB and Timestream tables is not fine-grained by default. Policies must be explicitly created with condition elements.

Pre-requisites:

• An existing DynamoDB or Timestream database
  

• IAM permissions to create and attach custom policies
  

• Understanding of dynamodb:LeadingKeys, dynamodb:Attributes, or similar IAM conditions
  

Remediation:

Test Plan

Using AWS Console:

1. Sign in to the AWS Console
   

2. Navigate to IAM > Policies
   

3. Review policies attached to roles accessing DynamoDB or Timestream
   

4. Confirm the use of condition keys like dynamodb:LeadingKeys or dynamodb:Attributes
   

5. Verify that access is scoped to specific items or attributes
   

Using AWS CLI:

1. List attached role policies:
   

   aws iam list-attached-role-policies --role-name <role-name>

   
   

2. Retrieve the policy document:
   

    aws iam get-policy-version --policy-arn <policy-arn> --version-id <version-id>

3. Verify presence of condition blocks like:
   

    "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${aws:username}"] } }

Implementation Plan

Using AWS Console:

1. Navigate to IAM > Policies > Create Policy
   

2. Select JSON tab
   

3. Define a policy using dynamodb:LeadingKeys or dynamodb:Attributes
   

4. Name the policy (e.g., DynamoDBFineGrainedPolicy)
   

5. Go to Roles > YourRole > Attach policies
   

6. Attach the newly created fine-grained policy
   

Using AWS CLI:

1. Create the policy:
   

    aws iam create-policy --policy-name DynamoDBFineGrainedPolicy --policy-document file://fine_grained_policy.json

2. Attach the policy to a role:
   

    aws iam attach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFineGrainedPolicy

Backout Plan

Using AWS Console:

1. Go to IAM > Roles > YourRole
   

2. Click Permissions > Detach policies
   

3. Uncheck DynamoDBFineGrainedPolicy and click Remove
   

4. Navigate to IAM > Policies, select and delete the policy
   

Using AWS CLI:

1. Detach the policy:
   

   aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFineGrainedPolicy

2. Delete the policy:
   

    aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFineGrainedPolicy

References:

• amazondynamodb
  

• IAM