Search code examples
amazon-web-servicesamazon-iamaws-iam-policyaws-app-config

Issue restraining access to a single environment on AppConfig using IAM Policy

For a while now I'm trying to restrict write access to a specific environment under AppConfig but it doesn't seem to work. I get access denied on "dev" environment. I have checked with the reference for appconfig (https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html). I want to allow developers to be able to start a deployment only on dev environment but not on prod. Here is the policy I am using.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "appconfig:StartDeployment",
            "Resource": [
                "arn:aws:appconfig:*:ACCOUNT-ID:deploymentstrategy/*",
                "arn:aws:appconfig:*:ACCOUNT-ID:application/*/environment/*",
                "arn:aws:appconfig:*:ACCOUNT-ID:application/*/configurationprofile/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/environment": "dev"
                }
            }
        }
    ]
}

I tried to restrain access the same way by using a tag on a AppConfig environment in the condition. It did not work. I then tried to restrain it at the resource level by adding the following resource "arn:aws:appconfig:*:ACCOUNT-ID:application/*/environment/dev" and I had the same issue.

Solution

  • I have contacted one of the representative from AWS at my workplace and explained the issue I have. I explained to me that using ResourceTag in a condition is currently not supported with AppConfig on StartDeployment and StopDeployment. He opened a feature request for the AppConfig team but there is no guarantee that it will be included in their roadmap.

    In the meantime I have found a way to restrain access for an environment. Keep in mind this solution is not the best and you may bust your quota limit of policies in IAM.

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "appconfig:UpdateEnvironment",
                "appconfig:StartDeployment",
                "appconfig:StopDeployment"
            ],
            "Resource": [
                "arn:aws:appconfig:*:*:deploymentstrategy/*",
                "arn:aws:appconfig:*:*:application/*/environment/<dev-environment-id>",
                "arn:aws:appconfig:*:*:application/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": [
                "appconfig:UpdateEnvironment",
                "appconfig:StartDeployment",
                "appconfig:StopDeployment"
            ],
            "Resource": "arn:aws:appconfig:*:*:application/*/environment/<prod-environment-id>"
        }
    ]
}

    Thanks a lot for the help