I have AWS SSO users with login like firstname.lastname.
I would like to have a policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:SomeAction",
"Resource": ["*"],
"Condition": {
"StringEquals": {
"ec2:ressourceTag/User": "${firstname.lastname}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
Of course ${firstname.lastname} should be dynamically filled using SSO data.
It's my understanding of reference_policies_variables, that it is not straighforward.
Is there a way ?
Related
I have a user pool and an Identity pool, where the role i am giving the authenticating users in the identity pool has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
I have created a new role called Role_testbucket456_User_X using Web Identity and added a condition where cognito-identity.amazonaws.com:sub is stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c, and attach to it the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
Then I have added the Cognito user Y that has the sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to a Cognito User Pool Group called testbucket456_Users
And then attached the role Role_testbucket456_User_X to this group testbucket456_Users
What I am expecting is that none of the Cognito users will have Read/Write access on any S3 bucket, except the user Y that has sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to be able to access Read/Write on testbucket456 bucket. But that didn't work unfortunately.
So I have added the following Bucket Policy to the testbucket456 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
But that still didn't work, I am still getting Access Denied issue whenever I try to call this method:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
Note
When I set the testbucket456 bucket's policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
I am then able to access(list objects) the bucket using the Cognito users, I think the issue is with the bucket's policy itself and in the Principal field specifically.
Possible issues
Maybe the authenticated role must have permissions to assume the custom role
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
to be like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
Can anybody confirm please?
This answer was the solution, I had to change the default role given to the Cognito Users
I would like to set a policy for a S3 bucket that is restricted to a VPC-ID(using a S3 endpoint). I have two accounts, A and B. I want a IAM user in A to access a bucket in B.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html
{ "Version": "2012-10-17", "Id": "Policy1415115909153", "Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::awsexamplebucket1",
"arn:aws:s3:::awsexamplebucket1/*"],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-111bbb22"
}
}
} ] }
Above won't work, but following will:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
],
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-111111111111"
}
}
}
]
}
Feels like best practices is to use a deny policy. Anyone has an idea why and how solve it?
As pointed out you need to allow as-well. Combine both policies and it will work.
I have created an IAM user (without MFA) and attached the below policy to the user. This is to make sure that the calls to the S3 use MFA. But, when I use the AccessKeys for this user via the AWS CLI, I am able to perform the S3 operation aws s3 ls with out any authorization error.
Am I doing something wrong or is it a bug in AWS?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Not exactly sure why the policy statement in the OP is not working. But,
I did attach the AmazonS3FullAccess policy with one of the below policy and it behaves as expected. For the long-term credentials I am not able to perform S3 operations and for the temporary credentials when authenticated with MFA I am able to perform the S3 operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Resource": "*",
"Action": "s3:*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
}
]
}
You are using Allow, but you should be using Deny as explained in AWS docs. Example:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
}
]
}
Read the AWS docs carefully, as you can lock yourself out of the bucket if you use Deny incorrectly.
I wanted to allow all s3 actions on a particular bucket "test-bucket" for a specific role "test-role". Deny the bucket for all others. The s3 policy I have written :
{
"Version": "2012-10-17",
"Id": "Policy1601973417173",
"Statement": [
{
"Sid": "Allow role test-role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
},
{
"Sid": "Deny rest",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
Even after applying the above policy, the sso users which are mapped to the role "test-role" is getting Access denied on the bucket.
Note : The AWS console shows logged in user as "Federated Login: test-role/sam#abc.com".
I have also tried the "assumed-role" options are still failing. Any help appreciated.
Try this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<udserid-1-suppressed>:*",
"AIDA<udserid-1-suppressed>",
"AIDA<udserid-2-suppressed>:*",
"AIDA<udserid-2-suppressed>",
"AIDA<udserid-n-suppressed>:*",
"AIDA<udserid-n-suppressed>",
"111111111111"
]
}
}
}
]
}
After setting up AWS Elasticsearch, I installed Logstash and Kibana proxy on a static IP server, and added this domain access policy on ES and it's working fine:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
}
]
}
Now I need to allow Lambda function to execute es:ESHttpDelete action on AWS ES, so I created the function with the existing role service-role/Elasticsearch then copied the relevent ARN from IAM Managment console to add it to AWS ES access policy, to come up with this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
The problem is on ES I should either choose domain access policy for Static IP or ARN but not both. When I tried to merge them manually not by using the console it didn't work. I checked AWS documentation but they didn't mention if is that possible or not.
You can add multiple policy statements inside the Statement array in the JSON format of policy. So, your final policy would be something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}