Update IAM policies to separate DynamoDB access by table

Renamed the existing policy to "HandlesTableAccess" for clarity and restricted its scope to the Handles table. Added a new "CredentialsTableAccess" policy to manage permissions specifically for the Credentials table. This improves granularity and adheres to the principle of least privilege.
arkavo-org · Dec 30, 2024 · 4283648 · 4283648
1 parent e6db25a
commit 4283648
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/handle-resolution-service/template.yaml b/handle-resolution-service/template.yaml
@@ -417,19 +417,31 @@ Resources:
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
       Policies:
-        - PolicyName: DynamoDBAccess
+        - PolicyName: HandlesTableAccess
           PolicyDocument:
             Version: '2012-10-17'
             Statement:
               - Effect: Allow
                 Action:
                   - dynamodb:GetItem
                   - dynamodb:PutItem
-                  - dynamodb:DeleteItem
                   - dynamodb:Query
                   - dynamodb:Scan
                 Resource:
                   - !GetAtt HandleTable.Arn
+        - PolicyName: CredentialsTableAccess
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - dynamodb:GetItem
+                  - dynamodb:PutItem
+                  - dynamodb:DeleteItem
+                  - dynamodb:UpdateItem
+                  - dynamodb:Query
+                  - dynamodb:Scan
+                Resource:
                   - !GetAtt CredentialsTable.Arn
                   - !Sub "${CredentialsTable.Arn}/index/*"