Required permissions could be restricted

scylladb / dynamodb-pricing-comparison

Serverless application that can be deployed to AWS to collect metrics about DynamoDB usage

Apache License 2.0

1 stars 1 forks source link

Required permissions could be restricted #4

Open julienrf opened 4 months ago

julienrf commented 4 months ago

Currently, the application requires the right to call cloudwatch:GetMetricData on any resource. Instead, we could constrain the policy to perform such calls only on the AWS/DynamoDB resource namespace.

julienrf commented 4 months ago

I tried changing the Lambda policy statement based on this:

 Effect: Allow
 Action:
   - cloudwatch:GetMetricData
 Resource:
   - "*"
+Condition:
+  StringEquals:
+    "cloudwatch:namespace": "AWS/DynamoDB"

But when the lambda runs it fails with an Access Denied error.

This might be a known limitation of AWS, according to this.