When I use the Simple Policy Editor to create a new XACML Policy the value for the Entitlement Policy Name text box appears to be limited to 20 characters. Is there a configuration option to change that will allow for longer values?
Currently this is not configurable. It's in this JSP page. Your policy name should match following regex
/^[a-zA-Z0-9._-]{3,20}$/
Related
Objective:
I am trying to identify if an action logged in cloudtrail logs corresponds to a service linked role.
What I have tried:
The first heuristic I used was that it starts with prefix "AWSServiceRoleFor". However this doesn't cover up all the cases.
Docs I have read:
https://aws.amazon.com/de/blogs/security/get-greater-transparency-into-actions-aws-services-perform-on-your-behalf-by-using-aws-cloudtrail/: From this document I could infer that userIdentity.sessionContext.sessionIssuer.arn has a 'aws-service-role' in it.
However I have found cases in my data where that was not the case.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html: This suggests that
"The ARN for a service-linked role includes a service principal, which
is indicated in the policies below as SERVICE-NAME.amazonaws.com. Do
not try to guess the service principal, because it is case sensitive
and the format can vary across AWS services. To view the service
principal for a service, see its service-linked role documentation."
Again, I found this to be inconsistent as well.
This document contains all the fields present in cloudtrail log: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
Any insight into which field I could use to identify an action that comes from a service linked role will help.
I am currently trying to set up a fine grained permission system for our infrastructure. We run each development stage in a different AWS account. Each stage therefore has different secrets that are used.
I now want to add a permission set to our SSO setup that allows GetSecretValue for secrets in the account if the user has the tag for the stage, e.g. user has the tag "develop = true", then the user can access the secret in our develop account, which also has the tag "develop = true".
To give the user the related tag, we want to use SAML assertions. We can not use existing default tags (e.g. Department), since aws resource tags do not support proper evaluation of multiple values (e.g. a tag on the secret like "Stage"="develop,test" allowing develop and test users access).
I can however not get the SAML assertions for custom attributes to show up in the AWS SSO user, no matter what I do. We set the attribute as
https://aws.amazon.com/SAML/Attributes/AccessControl:secret_test. This works if I use "Department" instead of "secret_test" (I assume because Department is one of the SCIM defauilt attributes), but not for my custom attribute "secret_test".
Hence my questions are:
Is it even possible for AWS SSO ABAC to "see" and evaluate attributes created as SAML Assertions in Azure AD, if they are not default attributes?
Alternatively, is there a way to write a policy to evaluate for a part of the string instead of a full match? i tried filling "Department" with "develop/test" and then setting up a condition on the permission set like
"Condition": {
"StringLike": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
but that doesn't allow access for the user.
My situation is this:
I'm trying to control access to an S3 bucket using unix-like home directories via AWS Cognito. These home directories should be accessible by groups of users rather than each individual user. i.e.:
s3-bucket/home/group1
s3-bucket/home/group2
s3-bucket/home/group3
When creating roles separately with group information (group name currently used as part of directory name for wildcarding), similar to this link, it works. However, I'd rather not make a separate IAM role for each group.
Before I used the enhanced flow I could restrict the role with a further policy via the assumeRoleWithWebIdentity call with STS. However when using just cognito, it expects only a role to apply.
Instead of directly applying a policy to the subject of the ID token (like ${cognito-identity.amazonaws.com:sub}), I'd rather have it use the group (like from ${cognito-identity.amazonaws.com:cognito:groups}), such that I don't have to create a role for each new group, and the variable itself would help define the resource scope.
Has anyone had much luck with this? Or using string arrays/sets in IAM resource definitions in general? I was trying to do something like
{"Fn::Select": [0, "${cognito-identity.amazonaws.com:cognito:groups}"]}
but cloudformation complains about
Template error: Fn::Select requires a list argument with two elements: an integer index and a list.
Thanks!
P.S. I see this page which states that there are no service-specific keys for cognito for use in policies, but that doesn't seem right as I've seen people use sub aud amr etc in policies in other examples on the web, although a definitive guide doesn't seem well documented.
I'm using WSO2 Identity Server with XACML for authorization.
I have users with serveral roles in IS. The user must select one of them to enter the app. So I need to grant the user based only in one of all his roles.
I used port.getDecisionByAttributes(subject, resource, action, environment); of the EntitlementService for asking with SOAP WS to the policy defined in XACML. The subject is the username. But It grants because it uses all user's roles.
Example:
User: peter
Roles: rolegranted, rolenotgranted, otherrole
When peter enter the app and select rolenotgranted it should not access the resource.
When peter enter the app and select rolegranted it should access the resource.
How do I define de XACML policy? and which method of the EntitlementService should I use?
Thank you
Actually, you need to write role based XACML policies in the PDP. Entitlement service method that you are using is fine. You can send the username in the XACML request and verify the user's roles using user store (via PIP), I would like to suggest you to go through this blog. It explain how you can write a role based XACML policy in WSO2IS and use it property.
I finally had met the requirements passing the role in the subject arg of the getDecisionByAttributes method. WSO2 IS doesn't check if this subject exists, so I can pass anything here and test it in the policy rule.
I am working on implementing user based software restriction policy programmatically for local group policy object.
If I create a policy through Domain Controller,I do have option for software restriction policy in user configuration but in local group policy editor I don't have option for that.
When I look for the changes made by policy applied from Domain Controller in registry, they modify registry values for specific users on path HKEY_USERS(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
They also have registry.pol stored in SYSvol folder in Domain Controller. When I make the same changes in registry to block any other application, application is getting blocked.
I achieved what I wanted but is it right to modify registry values ?
PS:- I am using Igrouppolicyobject API
I have found the answer,
IGroupPolicyObject - Windows API to create/update policies programmatically.
I would recommend you to go through this links, they will explain in deep about accessing Group Policies programmatically.
Working with Group Policy Objects Programmatically
Programmatically updating local policy in Windows