Open aelkugia opened 4 years ago
sskousen
commented
4 years ago At $dayjob, our AWS security strategy has all security logs and controls being owned and stored in a separate AWS instance/account, and limited access is provided to the services that create those logs. Not being able to specify the full ARN prevents us from following this pattern, and so we're having to develop alternative controls.
benarent
commented
4 years ago @kroboga Since the ARN is just arn:aws:dynamodb:{{region}}:{{account-id}}:table/{{ tablename }}, I'm guessing we need to add account ID to make cross accounts work. I wasn't around when https://github.com/gravitational/teleport/pull/2079/ was implemented.
aranair
commented
3 years ago @kroboga Since the ARN is just
arn:aws:dynamodb:{{region}}:{{account-id}}:table/{{ tablename }}, I'm guessing we need to add account ID to make cross accounts work. I wasn't around when #2079 was implemented.
Given that the tables for events and the cluster state might be different region/tables altogether, wouldn't it be better just allowing full arn (for each)?
Currently
audit_events_uridoes not support an Amazon Resource Name (ARN) of a DynamoDB table as a directive.Teleport passes a table name as such:
audit_events_uri: ['file:///var/lib/teleport/audit/events', 'dynamodb://table_name', 'stdout://']This configuration mentioned is necessary for use cases of where production environments are broken up by account.