stackoom
  简体   繁体   中英

Logical or in policy condition AWS

 原文  2020-08-16 15:57:01       amazon-web-services/ amazon-iam/ scp

Question

I want to have a logical or between AWS policy which I then need to attach to SCP. The motivation is to add a policy which applies in case one of 2 conditions are met.

{
        "sid": "OnlyT1T2Micro",
        "Effect": "Deny",
        "Action": ["ec2:RunInstances"],
        "Resource": ["arn:aws:ec2:us-east-1:accountid:instance/*"],
        "Condition": {
            "StringEquals": {
                "ec2:InstanceType": ["t1.micro","t2.micro"]
            },
            "StringEquals": {
                "ec2:Region": "us-east-1"
            }
        }
    }

In this case, I would like to deny Ec2 run instance API in case type is one of t1 or t2 micro or the region is us-east-1. But in this snippet, it's a logical "and" between conditions which mean the policy would apply in case it's a (t1.micro or t2.micro) and (us-east-1 region), which I'm looking to add "or"

In order to save the text in the SCP (due to limit), I was looking for shrinking together in 1 policy 2 conditions with "or", in case there is an option

Hope this example is clear

1 answers

solution1
 1 ACCPTED  2020-08-16 16:03:47

An SCP can contain multiple policies, at the moment your single policy will require all conditions to be met (as well as the resource pattern) before it will deny.

You should create a separate statement for each of these conditions whilst also removing the resource pattern if you're trying to deny access for those instance classes in other AWS regions.

Perhaps something like the below is more appropriate.

{
    "sid": "OnlyT1T2Micro",
    "Effect": "Deny",
    "Action": ["ec2:RunInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:InstanceType": ["t1.micro","t2.micro"]
        }
    }
},
{
    "sid": "NotInUsEast1",
    "Effect": "Deny",
    "Action": ["ec2:RunInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:Region": "us-east-1"
        }
    }
}

With this it will evaluate as if either the instance type is a t1.micro or t2.micro , or if the region is us-east-1 then deny the action.

The only OR condition is between each statement, if you're trying to reduce the size of your statements try to group up similar statements. For example disabling common actions in the same statement, or if you you want to deny a number of regions add them all to the same statement rather than one statement each.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is custom condition supported in the AWS cloud front policy? AWS policy condition operator 'NULL' in 'YAML' AWS S3 bucket policy with condition AWS S3 ACL Policy Condition AWS CDK Policy condition for Tagged ressources AWS S3- Policy Condition Failed- eq key IAM user policy that can only triggered by a AWS service (Condition) AWS IAM policy - How to check for multiple Tags as OR condition Condition in AWS resource policy not allowing lambda to access Secrets Manager Secret Adding a condition in an AWS policy using the name of the CloudFormation stacks
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM