Search code examples
amazon-web-servicesaws-lambdaaws-xray

How can I configure lambda policy for pushing trace to xray to achieve Least Privilege Permissions?

I am using AWS labmda and xray in my application. Below is my lambda role's policy. What I don't like is the Resources part which is *? How can I define a resource to achieve Least Privilege Permissions?

I have read through this doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsx-ray.html. And it says using arn:${Partition}:xray:${Region}:${Account}:group/${GroupName}/${Id} in the resource. But I don't understand what GroupName and ID I should use.

Should I put lambda name as part of the resource?

        Statement:
          - Effect: Allow
            Action:
              - xray:PutTraceSegments
              - xray:PutTelemetryRecords
              - xray:GetSamplingRules
              - xray:GetSamplingTargets
              - xray:GetSamplingStatisticSummaries
            Resource: "*"
Solution

  • The recommended practice is to use AWS Managed Policy named AWSXrayDaemonWriteAccess as described here. The advantage of using managed policy is that if the daemon requires another permission in the future then it will be automatically added by AWS. On the other hand you will have to manage the policy list yourself. You still have the option of managing it yourself if you prefer.

    Regarding your main concern of using *, as of today, X-Ray does not have a resource to manage at least not when sending segments. There are resources for managing sampling rules, groups in X-Ray for other usecases. But when X-Ray SDK has to send data, then it has to retrieve all sampling rules in order to make a decision whether to send data or not. Segments are sent to AWS X-Ray using PutTraceSegments to your AWS account, not to any resource. Hence for this API you have to use *. Similarly for GetSamplingTargets, the API tells X-Ray how much Sampling Quota it has used and which sampling rule was used to decide the quota. It also gets a sampling target for the next few seconds. Sampling quota is also related to usage of tracing within your account and not a specific resource.

    The Group Name and ID you mentioned are resources used to view data in the console for various groups that you create with CreateGroup API or console. You can view your groups using GetGroups api and the Default group always exists.

    Groups do not come into play when sending data from lambda. Group service graphs are computed by the service based on the data you send and these groups are viewable via the console. You may control who can view or modify these groups using IAM policies.