search

aws-samples / aws-iam-permissions-guardrails

AWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/
https://aws-samples.github.io/aws-iam-permissions-guardrails/
Apache License 2.0
122 stars 42 forks source link

Deny Lakeformation Admin Operations #32

Open ajarawat1992 opened 3 years ago

ajarawat1992 commented 3 years ago

Use Case - Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is.

To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations.

AWS Lake Formation is a fully managed service that makes it easier for you to build, secure, and manage data lakes. AWS Lake Formation Administrators can view all metadata in the AWS Glue Data Catalog. They can also grant and revoke permissions on data resources to principals, including themselves. AWS Lake Formation requires that each principal (user or role) be authorized to perform actions on Lake Formation–managed resources. A principal is granted the necessary authorizations by the data lake administrator or another principal with the permissions to grant Lake Formation permissions. When you grant a Lake Formation permission to a principal, you can optionally grant the ability to pass that permission to another principal. A principal with IAM administrative permissions—for example, with the AdministratorAccess AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations in your account, attach below SCP policy.

{ "Sid": "DenyLakeFormationAdministratorOperations", "Effect": "Deny", "Action": [ "lakeformation:GetDataLakeSettings", "lakeformation:PutDataLakeSettings" ], "Resource": [ "*" ] }

Expected Outcome - Describe the solution you'd like A clear and concise description of what you want to happen.

User is not authorized to perform: lakeformation:PutDataLakeSettings on resource with an explicit deny.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Affected AWS resource Mention the AWS resources which is affected AWS Lake Formation

Impact High: The issue makes a service level improvement which affects all users of AWS Medium: Single feature which affects a single functionality which is optionally enabled in the AWS service Low: Niche use case which is particularly affecting the AWS resources if it is configured in a certain way

Supported material Can be either logs, screenshots or documentation links which provide evidence of need of this issue

I can contribute: Yes/No If you are able to contribute towards resolving this request.

Additional context Add any other context or screenshots about the feature request here.

Pull Request number If a pull request has already been created.

ajarawat1992 commented 3 years ago

Below is the updated SCP:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyLakeFormationAdministratorOperations", "Effect": "Deny", "Action": [ "lakeformation:PutDataLakeSettings" ], "Resource": [ "*" ] } ] }