1

Currently, I have an Amplify app that has 3 back-end environments:

  1. Prod

  2. Staging

  3. Dev

What would be the IAM policies that should be applied on a new IAM user in order to give access only to one single back-end environment, let's say Dev?

Each environments has AWS S3, DynamoDB, AppSync, and Cognito.

I have set policies on all of those AWS Services and they are all properly secured, meaning that the new IAM User can only access to Dev environments in each of the services.

But when it comes to setup policies to Amplify, even with the most strict policies I set, the new IAM user can still access all the 3 back-end environments and modify configurations through Amplify, even if he can't directly on the service.

E.g. The user can go on Staging or Prod and change the password settings on Amplify Authentication and deploy changes, but he cannot do it using Cognito.

Any solutions for this issue?

Citrix
  • 257
  • 4
  • 14
  • Were you able to find a way to solve this? – Newbie21 Oct 30 '22 at 18:19
  • It's not possible, I created a copy of the app into another server, like US-EAST-2 for development and US-EAST-1 has my production app, and I gave IAM permissions to US-EAST-2 to the developers... if it's not too late, go with another technology, don't use AWS... – Citrix Oct 30 '22 at 20:12
  • Yeah thought so. Too deep in aws to leave but I think this is an amplify issue rather than aws at large. Should be possible to use limited iam permissions if one were using serverless framework / aws cdk. – Newbie21 Nov 01 '22 at 13:55

0 Answers0