Jicxer
commented
4 months ago The difference between a user and an admin is undefined. So far, we have all the functionalities for the client to be admins. They can
- Read Dynamo (Scanning table entries)
- Write to Dynamo (Append to tables)
- Manage their credentials (on AWS website)
- Access AWS CLI (provided they have credentials valid in AWS configuration.)
The user still needs to be tested and should not have any trouble accessing the AWS CLI but any administrative actions they attempt to take will be denied by AWS.
So far, we have IAM policies for each group (user and admin), and we should be able to test these privileges on:
User Groups User: Created a user group called "user". Created a test-user to interact with dynamoDB and Kinesis Firehose. Permissions:
AmazonDynamoDBReadOnlyAccess
AmazonKinesisFirehoseReadOnlyAccessIAMReadOnlyAccessAdministrator: Created a user group called "admin". Contains all the permissions that we already have. Permissions:
AmazonDynamoDBFullAccess
AmazonKinesisFirehoseFullAccessAmazonKinesisFullAccessAmazonS3FullAccessIAMFullAccessThe client only uses DynamoDB, IAM, and possibly S3. Other permissions shouldn't be needed anymore. We have been accessing the resources with only admin permissions as we are in the admin user group.
Tasks
Our task is to create a test user with permissions for the user user group and see if they can access the resources. We also have to ensure that any malicious users are not able to access resources they shouldn't. We also have to brainstorm what the user and admins can do. Should users be able to delete their own tables? Can they delete others since it's stored in one DynamoDB?
To-do
User
Access their own credentialsAdmin
Edits:
Admins and users do not make use of the KinesisFireHose or Kenisis resources. Removed access from user groups in IAM.