Securing IAM for Multiple Tenants
The goal is to secure a Tenant; client and server side, using IAM and fine grained access control
Below describes how this achieved when new users sign up for an organisation
In this scenario, PUBLIC and TENANT specific data can share a dynamoDB table.
When the federated identity in step 6 is assumed, the IAM policy used, will secure the data with IAM.
{
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"${aws:PrincipalTag/org}#*"
]
}
},
"Action": [
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-west-2:322567890963:table/dev-saas-stack-DynamoDBTableResource",
"Effect": "Allow",
"Sid": "AllowPrecedingKeysToDynamoDBOrganisation"
}