Posted On: Aug 12, 2020
Amazon ElastiCache now allows you to assign permissions to specific resources in AWS IAM policies. You can now assign an IAM principal permissions to specific ElastiCache resource or resources. Prior to this release, Amazon ElastiCache did not support resource level permissions; customers could only assign permissions to all resources for a given action. With this release you can be fine-grained in your IAM policies and allow access to specific ElastiCache resources. For example, you can allow administrators in your organization to create production ElastiCache clusters and restrict other principals from modifying those specific clusters. This provides you with the flexibility to meet your enterprise security and compliance standards.
With this release, ElastiCache resources expose Amazon Resource Names (ARNs). ARNs are now visible in the ElastiCache portion of the AWS console. They are used to identify one or many resources the policies apply to. For example, all ElastiCache resources for account id 123456789012 in the us-east-2 region are identified with “arn:aws:elasticache:us-east-2:123456789012:*”. Policies can then be authored to allow or deny specific operations on resources. The below policy allows for all ElastiCache actions on subnet groups, security groups and replication groups in us-east-1.
{
"Sid": "policy1",
"Effect": "Allow",
"Action": "elasticache:*",
"Resource": [
"arn:aws:elasticache:us-east-1:123456789012:subnetgroup:*",
"arn:aws:elasticache:us-east-1:123456789012:securitygroup:*",
"arn:aws:elasticache:us-east-1:123456789012:replicationgroup:*"
]
}
Policies can be created visually in the IAM portion of the AWS console or with any text editor, they can be applied in the AWS console, the AWS CLI or with the AWS SDK.
Resource-level permisson policies are available in all commercial AWS regions. To learn more about IAM policies, click here. To learn more about Amazon ElastiCache identity and access management, click here . To get started with Amazon ElastiCache, log into the AWS Management Console.