Posted On: Aug 12, 2020

Amazon ElastiCache now allows you to assign permissions to specific resources in Amazon IAM policies. You can now assign an IAM principal permissions to specific ElastiCache resource or resources. Prior to this release, Amazon ElastiCache did not support resource level permissions; customers could only assign permissions to all resources for a given action. With this release you can be fine-grained in your IAM policies and allow access to specific ElastiCache resources. For example, you can allow administrators in your organization to create production ElastiCache clusters and restrict other principals from modifying those specific clusters. This provides you with the flexibility to meet your enterprise security and compliance standards.

With this release, ElastiCache resources expose Amazon Resource Names (ARNs). ARNs are now visible in the ElastiCache portion of the Amazon Web Services console. They are used to identify one or many resources the policies apply to. For example, all ElastiCache resources for account id 123456789012 in the cn-north-1 region are identified with “arn:aws-cn:elasticache:cn-north-1:123456789012:*”. Policies can then be authored to allow or deny specific operations on resources. The below policy allows for all ElastiCache actions on subnet groups, security groups and replication groups in cn-north-1. 

{
    "Sid": "policy1",
    "Effect": "Allow",
    "Action": "elasticache:*",
    "Resource": [
        "arn:aws-cn:elasticache:cn-north-1:123456789012:subnetgroup:*",
        "arn:aws-cn:elasticache:cn-north-1:123456789012:securitygroup:*",
        "arn:aws-cn:elasticache:cn-north-1:123456789012:replicationgroup:*"
    ]
}

Policies can be created visually in the IAM portion of the Amazon Web Services console or with any text editor, they can be applied in the Amazon Web Services console, the Amazon CLI or with the Amazon SDK.  

Resource-level permission policies are available in all commercial Amazon Web Services regions, including Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about IAM policies, click here. To learn more about Amazon ElastiCache identity and access management, click here. To get started with Amazon ElastiCache, log into the Amazon Web Services Management Console.