Profile Applicability

  • Level 1

Description

Enable fine-grained access control (FGAC) in database services such as Amazon Timestream and DynamoDB to limit access at the table, row, or column level based on user roles or conditions. This enhances data confidentiality and aligns with the principle of least privilege.

Rationale

Enforcing FGAC allows organizations to apply stricter access control by granting users access only to the data they are authorized to interact with. This minimizes potential exposure and misuse of sensitive data.

Impact

While this adds security, it increases complexity in managing IAM policies. Misconfiguration could result in access issues or unintentional exposure.

Default Value

By default, FGAC is not enabled in services like Timestream or DynamoDB. IAM policies must be explicitly configured to enforce it.

Pre-Requisites

  • IAM roles and policies must be configured and attached to users or services.

  • Services like Amazon Timestream or DynamoDB must be in use.

Remediation

Test Plan

  1. Review IAM policies applied to database users.

  2. Verify that permissions are scoped to specific resources (tables, columns, rows).

  3. Check for use of condition keys like dynamodb:LeadingKeys or Timestream resource conditions.

  4. Validate that unauthorized users cannot access restricted data via tests or simulations.

Implementation Plan

Using AWS Console

  1. Go to the IAM console.

  2. Choose Policies and create a new policy.

  3. Use the JSON editor to define fine-grained rules (e.g., restrict actions on certain rows/tables).

  4. Attach this policy to the appropriate IAM user, group, or role.

  5. If using DynamoDB:

    • Define condition keys like dynamodb:LeadingKeys.

  6. If using Timestream:

    • Use resource-level permissions for tables, columns, and rows.

Using AWS CLI

  1. Create the IAM policy:

     aws iam create-policy --policy-name DynamoDBFGACPolicy --policy-document file://fgac-policy.json


  2. Attach the policy to a role:
     

    aws iam attach-role-policy --role-name MyFGACRole --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFGACPolicy

  3. Use condition keys in your policy JSON like:

     "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${aws:username}"] } }

Backout Plan

Using AWS Console

  1. Navigate to the IAM console.

  2. Detach the fine-grained policy from the user/role.

  3. Delete the custom IAM policy if no longer needed.

Using AWS CLI

  1. Detach policy:
     

    aws iam detach-role-policy --role-name MyFGACRole --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFGACPolicy


  2. Delete policy:

     aws iam delete-policy --policy-arn arn:aws:iam::<account-id>:policy/DynamoDBFGACPolicy


References

  1. Fine-Grained Access Control in DynamoDB

  2. IAM Policy Reference for Timestream

CIS Controls Mapping

CIS Controls Version

Control Description

IG1

IG2

IG3

v8

3.3 Configure Data Access Control Lists

v7

14.6 Protect Information through Access Control Lists