I am logged in as LeadDeveloperRole in aws console and created a secret in secrets manager. I want this secret to be only accessible to
LeadDeveloperRole and AdminRole, so i used below mentioned resource policy on this secret. While saving this policy it shows an error saying:
"This resource policy will not allow you to manage this secret in the future."
As per my understanding, Deny + NotPrincipal implies apart from LeadDeveloperRole and AdminRole, no one will have access to this.
Am i missing something here ?
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::111111111:role/LeadDeveloperRole",
"arn:aws:iam::111111111:role/AdminRole"
]
},
"Action": [
"secretsmanager:*"
],
"Resource":"arn:aws:secretsmanager:region:111111111:secret:secretid-xxxx1i"
},
{
"Effect":"Deny",
"NotPrincipal":{
"AWS":[
"arn:aws:iam::111111111:role/LeadDeveloperRole",
"arn:aws:iam::111111111:role/AdminRole"
]
},
"Action": [
"secretsmanager:*"
],
"Resource":"arn:aws:secretsmanager:region:111111111:secret:secretid-xxxx1i"
}
]
}
UPDATED:
updated the policy with explicit allow which is giving same error.
Try adding the account principal to the list of NotPrincipals, as without it a request can be blocked e.g. "arn:aws:iam::111111111:root" or just the account ID number.
From the docs:
When you use NotPrincipal with Deny, you must also specify the account ARN of the not-denied principal.
Related
I have created a s3 bucket and along with it i added a policy to the bucket saying to deny ListBucket action for a canonical user. Here canonical user is nothing but me. Below is my code..
s3_client.create_bucket(Bucket=bucket_name)
bucket_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Deny',
'Principal':
#I am denying ListBucket access to this canonical user id.
{"CanonicalUser":"1234567777777777777777544444444466666ac73d5bc7cd43619"},
'Action': ['s3:ListBucket'],
'Resource': f'arn:aws:s3:::{bucket_name}',
}]
}
# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)
s3_client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
s3_client.put_object(Bucket=bucket_name, Key="a/b/c/abc.txt")
#Still i am getting response for this list_objects operation.
response = s3_client.list_objects(Bucket=bucket_name)
print(response)
How can I remove a specific s3 bucket permission to a root user?
Thanks
Based on comments, the question was to deny root user access to resources within the same account, which is not recommended as well.
You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user
Below approach described is for cross account access.
As per the documentation you can address root user in the following format
"Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"}
"Principal":{"AWS":["arn:aws:iam::AccountNumber1-WithoutHyphens:root","arn:aws:iam::AccountNumber2-WithoutHyphens:root"]}
Grant permissions to an AWS Account
For example
{
"Id": "Policy1616693279544",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt161669321",
"Action": [
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root"
]
}
}
]
}
If you don want to stress about correct policy generation you can cross verify with this tool here
AWS Policy Generator
Your AWS account identifiers
AWS provides a way through its IAM policies to limit access from a particular user/role to a specific named resource.
For example the following permission:
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
]
}
will allow all List* and Get* operations on the confidential-data bucket and its contents.
However, I could not find such an option when going through GCP's custom roles.
Now, I know that for GCS buckets (which is my use case) you can create either ACLs to achieve (more or less?) the same result.
My question is, assuming I create a service account identified by someone#myaccount-googlecloud.com and I want this account to have read/write permissions to gs://mybucket-on-google-cloud-storage, how should I format the ACL to do this?
(for the time being, it does not matter to me whatever other permissions are inherited from the organization/folder/project)
From documentation:
Grant the service account foo#developer.gserviceaccount.com WRITE access to the bucket example-bucket:
gsutil acl ch -u foo#developer.gserviceaccount.com:W gs://example-bucket
Grant the service account foo#developer.gserviceaccount.com READ access to the bucket example-bucket:
gsutil acl ch -u foo#developer.gserviceaccount.com:R gs://example-bucket
The format for ACL is as below
{
"bindings":[
{
"role": "[IAM_ROLE]",
"members":[
"[MEMBER_NAME]"
]
}
]
}
Please refer to the Google Docs
e.g.
{
"kind": "storage#policy",
"resourceId": "projects/_/buckets/bucket_name",
"version": 1,
"bindings": [
{
"role": "roles/storage.legacyBucketWriter",
"members": [
"projectEditor:projectname",
"projectOwner:projectname"
]
},
{
"role": "roles/storage.legacyBucketReader",
"members": [
"projectViewer:projectname"
]
}
],
"etag": "CAE="
}
I am trying to use the NotPrincipal element in my bucket policy to explicitly deny access to my s3 bucket while whitelisting a particular lambda that accesses the bucket. I specified the role ARN and assumed role ARN for the lambda's role in the NotPrincipal element:
"arn:aws:iam::{Account ID}:role/service-role/{Lambda role name}",
"arn:aws:sts::{Account ID}:assumed-role/{Lambda role name}/{role session name}"
This doc explains the structure of the assumed role ARNs:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
I can't seem to get the assumed role ARN correct. The bucket policy is valid, but it seems I can provide anything for the role session name (the last part of the assumed-role ARN), and the ARN is considered valid. What does AWS set this role session name to when Lambda or other service assumes a service role? Is it possible to list active sessions for a role or list the assumed-role ARNs? I am currently using the Lambda function name for the role session name, but this is not working (the Lambda still cannot access the bucket).
Since I can't use wildcards in the NotPrincipal element, I need the full assumed-role ARN of the Lambda once it assumes the role.
UPDATE:
I tried using two conditions to deny all requests where the ARN does not match the ARN of the Lambda role or assumed role. The Lambda role is still denied from writing to S3 using the IAM policy simulator. Here is the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WhitelistRegistryAPILambdaRole",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{bucket name}",
"arn:aws:s3:::{bucket name}/*"
],
"Condition": {
"ArnNotLike": {
"AWS:SourceARN": "arn:aws:iam::{account ID}:role/{lambda role name}"
}
}
},
{
"Sid": "WhitelistRegistryAPILambdaAssumedRole",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{bucket name}",
"arn:aws:s3:::{bucket name}/*"
],
"Condition": {
"ArnNotLike": {
"AWS:SourceARN": "arn:aws:sts::{account ID}:assumed-role/{lambda role name}/{lambda function name}"
}
}
}
]
}
TL;DR:
The Assumed Role ARN of a Lambda Function is constructed as this:
arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}
Details:
So the "role session name" is, in your case, the lambda function name.
You can easily verify this, by trying to call an API from your Lambda (DynamoDB ListTables for example) for which you do not have permissions. The error message in the callback will also contain the assumed role ARN (note that some service such as S3 do not provide detailed error messages when an operation is denied. DynamoDB, Lambda, and most of the recently launched services, will.)
I'm not sure to understand why you need a NotPrincipal, as probably there is a better way to handle the scenario you described :) More info would be useful to provide a more precise answer.
From the AWS IAM Documentation:
Important: Very few scenarios require the use of NotPrincipal, and we
recommend that you explore other authorization options before you
decide to use NotPrincipal.
I have an IAM role(MyIAMrole) which has already been created. I want to attach a policy to this role using a Cloudformation template.
"Mypolicy":{
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "assume-role-policy",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" }
]
},
"Roles": [ { "Ref": "arn:aws:iam::*:role/MyIAMrole" } ]
}
}
When I try to validate this I am getting an error saying "Unreolved reference options".
How to attach this policy to an already existing role?
I managed to get your code snippet to work by referring to the Name of a role rather than the ARN.
As per the AWS::IAM::Policy documentation:
Roles: The names of AWS::IAM::Roles to which this policy will be attached.
However, while the stack went to CREATE_COMPLETE, I couldn't see the policy listed in the Policies section of IAM, nor could I see the policy attached to the referenced role.
It might be that you cannot use CloudFormation to attach a policy to an existing role. You might need to create the Role as part of the CloudFormation template to be able to attach a role.
I have a bucket in Amazon S3 called 'data1'.
When I connect using Cyberduck to my S3, I want the user to only have access to 'data1' bucket and none of the others.
I also set up a new IAM user, called data1, and attached the 'AmazonS3FullAccess' policy to the permissions for that user - but that gives access to all of the buckets - which is what you would expect.
I guess I need to setup another policy for this - however what policy would I do?
First find the users principle. These can be found by looking at the Arn field output by this command
aws iam list-users
For instance
{
"Users": [
{
"UserName": "eric",
"Path": "/",
"CreateDate": "2016-07-12T09:08:21Z",
"UserId": "AIDAJXPI4SWK7X7PY4RX2",
"Arn": "arn:aws:iam::930517348925:user/eric"
},
{
"UserName": "bambi",
"Path": "/",
"CreateDate": "2015-07-15T11:07:16Z",
"UserId": "AIDAJ2LEXFRXJI5AKUU7W",
"Arn": "arn:aws:iam::930517348725:user/bambi"
}
]
}
Then set up an S3 bucket policy. These apply to the bucket and are set per bucket. Normal IAM policies are set per IAM entity and are attached to the IAM entity, for instance the user. You already have IAM policies. For this requirement an S3 policy is needed.
Just to emphasise - S3 policies apply to the bucket and are "attached" to S3, IAM policies apply to IAM and are associated with IAM objects. When IAM entities try to use an S3 bucket both S3 policys and IAM policies can apply. See http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Once you know the ARN of the principle then add a S3 policy like this
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "arn:aws:iam::930517348725:user/bambi",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
},
{
"Sid":"block",
"Effect":"Deny",
"Principal": "arn:aws:iam::930517348725:user/bambi",
"Action":["s3:*"],
"Resource":["arn:aws:s3:::*"]
}
]
}
I haven't tested this but that is the general idea. Sorry I didn't use "data1" for both the principle and bucket name in the example but it's too confusing..:)
For write-only access you can attach a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
but it reads like you want to do more than just write?