Blocking public access with resource-based policies in DynamoDB
Block Public Access (BPA) is a feature that identifies and prevents the attaching of resource-based policies that grant public access to your DynamoDB tables, indexes, or streams across yourAmazon Web Services (AWS) accounts. With BPA, you can prevent public access to your DynamoDB resources. BPA performs checks during the creation or modification of a resource-based policy and helps improve your security posture with DynamoDB.
BPA usesautomated reasoning to analyze the access granted by your resource-based policy and alerts you if such permissions are found at the time of administering a resource-based policy. The analysis verifies access across all resource-based policy statements, actions, and the set of condition keys used in your policies.
BPA helps protect your resources by preventing public access from being granted through the resource-based policies that are directly attached to your DynamoDB resources, such as tables, indexes, and streams. In addition to using BPA, carefully inspect the following policies to confirm that they do not grant public access:
Identity-based policies attached to associated AWS principals (for example, IAM roles)
Resource-based policies attached to associated AWS resources (for example, AWS Key Management Service (KMS) keys)
You must ensure that theprincipal doesn't include a* entry or that one of the specified condition keys restrict access from principals to the resource. If the resource-based policy grants public access to your table, indexes, or stream across AWS accounts, DynamoDB will block you from creating or modifying the policy until the specification within the policy is corrected and deemed non-public.
You can make a policy non-public by specifying one or more principals inside thePrincipal block. The following resource-based policy example blocks public access by specifying two principals.
{ "Effect": "Allow", "Principal":{ "AWS": [ "123456789012", "111122223333" ] }, "Action": "dynamodb:*", "Resource": "*"}Policies that restrict access by specifying certain condition keys are also not considered public. Along with evaluation of the principal specified in the resource-based policy, the followingtrusted condition keys are used to complete the evaluation of a resource-based policy for non-public access:
aws:PrincipalAccountaws:PrincipalArnaws:PrincipalOrgIDaws:PrincipalOrgPathsaws:SourceAccountaws:SourceArnaws:SourceVpcaws:SourceVpceaws:UserIdaws:PrincipalServiceNameaws:PrincipalServiceNamesListaws:PrincipalIsAWSServiceaws:Ec2InstanceSourceVpcaws:SourceOrgIDaws:SourceOrgPaths
Additionally, for a resource-based policy to be non-public, the values for Amazon Resource Name (ARN) and string keys must not contain wildcards or variables. If your resource-based policy uses theaws:PrincipalIsAWSService key, you must make sure that you've set the key value to true.
The following policy limits access to the userJohn in the specified account. The condition makes thePrincipal constrained and not be considered as public.
{ "Effect": "Allow", "Principal":{ "AWS": "*" }, "Action": "dynamodb:*", "Resource": "*", "Condition":{ "StringEquals":{ "aws:PrincipalArn": "arn:aws:iam::123456789012:user/John" } }}The following example of a non-public resource-based policy constrainssourceVPC using theStringEquals operator.
- JSON
