Without a doubt, security is one of the key aspect to focus in AWS. It is not only authentication is critical, but authorization is a must to consider specially in the production systems where lot of parties (users, resources, services) should be given only the specific permissions in the AWS environment. AWS IAM policies provides great amount of facilities in order to set up granular level of permissions. Tag based permissions are one of the cool feature supported by IAM.
Recently, one of my friend/client came up with the scenario below.
Scenario: There is a lambda function, which calls to a external API and fetch some data. This external API only accepts incoming requests only from pre-configured whitelisted IPs. As per today, AWS doesnt’ support elastic IPs for Lambda. However, there is a simple work around.
Solution: Simple solution is, to create the lambda function within a VPC and make the 3rd party API to be accessible via a NAT gateway.
IAM Policy version is a useful feature in IAM when try to identify the correct access rights for a particular policy and switch between the changes applied to the policies.
Please Note: Policy versions are not available for inline policies.
When you update a particular customer manage policy, AWS will not over-write the existing policy. But new version is created and set as the default version.
Image: Policy versions listing for a single IAM Policy