AWS CLI command add condition - amazon-web-services

I need to alter a resource based policy for AWS Lambda.
I need it to change from:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "S3Events",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:123456789123:function:Manage-configurator",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::managebucket"
}
}
}
]
}
to
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "S3Events",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:123456789123:function:Manage-configurator",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789123"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::managebucket"
}
}
}
]
}
After researching im not sure how to add just an extra condition in


To edit policies in AWS, you simply supply a completely new policy. There is no API that supports modification in place.

Related

how to combine two IAM policies together

Im new to IAM policies. Trying to combine below two policies and make single one. The role is
AmazonEKSVPCCNIRole
below are two policies :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<arn-value>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<id>:sub": "system:serviceaccount:kube-system:aws-node",
"oidc.eks.us-east-1.amazonaws.com/id/<id>:aud": "sts.amazonaws.com"
}
}
}
]
}
i just need single policy combining above two policies. Im getting JSON error when trying to combine.
please help to create single policy

Can add the element in the statement array separated by comma. This is trust policy and not a normal policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<arn-value>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<id>:sub": "system:serviceaccount:kube-system:aws-node",
"oidc.eks.us-east-1.amazonaws.com/id/<id>:aud": "sts.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

Create S3 bucket policy for ssm resource data sync that allows new accounts added access without manually adding a statement

I am attempting to deploy a SSM Inventory Collection and a Resource Data Sync via Cloudformation in 15 accounts. I am able to manually add each account by adding a statement in the central s3 bucket for proper access. I was wondering is there a way to create a policy that allows newly created AWS accounts in the future to have proper access without adding a statement to the s3 bucket policy. Below is the documentation I have followed. I was using this method to add each account below
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=123456789012/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=444455556666/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/accountid=777788889999/*"
],
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html
Further in the documentation, I see you can create a resource data sync for accounts defined in AWS Organizations. But this still doesnt accomplish granting any new accounts where template gets deployed, access will be granted.
Creating an inventory resource data sync for accounts defined in AWS Organizations
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::S3_bucket_name"
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:RequestObjectTag/OrgId": "organization-id",
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/bucket-prefix/*/accountid=*/*"
]
}
]
}
I have played around with a few policies but doesn't seem to work
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::inventorycollectionsync/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-mb7bem0c79"
}
}
}
]
}

Try this:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SSMBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": " SSMBucketOrgDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/OrgId": "org-id",
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": " SSMBucketDeliveryTagging",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::bucketname/*/accountid=*/*"
}
]
}

S3 Bucket Policy: match at least 1 (OR)

I currently have a S3 bucket policy that ONLY allows GET access if the user agent matches "ALLOW_USER_AGENT"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
}
}
I want to modify this policy so that it allows GET access if the user agent matches "ALLOW_USER_AGENT" OR if the origin IP is 11.11.11.11
Here is my first crack at this policy. Is this the right policy? I want to allow GET access if 1 of these 2 statements are true (not both)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "allow-username-and-password-access",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"aws:UserAgent": [
"ALLOW_USER_AGENT"
]
}
}
},
{
"Sid": "SourceIP",
"Action": "s3:GetObject",
"Effect": "Deny",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"11.11.11.11/32",
]
},
"Principal": {
"AWS": "*"
}
}
]
}

According to your requeriments the Allow/Deny rules should be:
C1 (condition 1): aws:UserAgent = ALLOW_USER_AGENT
C2 (condition 2): aws:SourceIp = 11.11.11.11/32
The corresponding bucket policy would be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "deny-if-both-conditions-are-true",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
},
"IpAddress": {
"aws:SourceIp": "11.11.11.11/32"
}
}
},
{
"Sid": "deny-if-neither-conditions-are-met",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY_BUCKET/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "11.11.11.11/32"
},
"ForAnyValue:StringNotEquals": {
"aws:UserAgent": "ALLOW_USER_AGENT"
}
}
}
]
}
I have tested this policy and works as expected. Additionally, I have updated the operator "ForAllValues" by "ForAnyValue".
Use the curl command with "-A" option to set any User Agent.
Reference:
Creating a condition with multiple keys or values

What will the policy of aws sqs which is tigger by multiply s3 Bucket

I have S3 bucket and on object-put event I trigger SQS queue and received queue in my instance and process it,
Access policy of sqs is
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:ca-central-1:xxxxxxxxxxxx:abcd",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:ca-central-1:xxxxxxxxxxxx:abcd",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::<bucket name>"
}
}
}
]
}
It's working fine for me but now I want to use the same queue in a two different bucket, I tried policy
{
"Version": "2012-10-17",
"Id": "arn:aws:sqs:ca-central-1:xxxxxxxxxxxx:abcd",
"Statement": [
{
"Sid": "example-statement-ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:ca-central-1:xxxxxxxxxxxx:abcd",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::<bucket name>",
"aws:SourceArn": "arn:aws:s3:::<bucket name2>"
}
}
}
]
}
But I didn't work, So anybody please help me to find what will be the Access policy of using same sqs queqe in two different bucket

Your current policy is not valid JSON. To specify multiple ArnLike values you need to use a list:
"ArnLike": {
"aws:SourceArn": ["arn:aws:s3:::<bucket name>",
"arn:aws:s3:::<bucket name2>"]
}

S3 Cross account replication not replicate the files

i have the following configuration and I've already tried a lot of things. Can someone check it an say what might be the issue?
I've added the canonical account of the source to the destination bucket.
The replication is enabled on the source bucket. Is replicating the whole bucket.
Source bucket.
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "AWSSourcebucketWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root",
"arn:aws:iam::external_account_who_write_the_files:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
Destination bucket
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::source_bucket_account:root"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": "arn:aws:s3:::source-bucket-replication/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}

Did you tried adding new file to your source bucket? Or update an existing file on source bucket? I think replication takes effect only on the items added or updated after enabling replication.