stackoom
  简体   繁体   中英

Restricting access to an AWS resource using a specific pattern of AWS roles

 原文  2023-01-16 12:14:49       amazon-web-services/ security/ amazon-iam

Question

I want all roles of my AWS account having a specific pattern to be able to access a Secrets Manager secret. I know I can use Condition block and wildcard matching for that.

However, the Principal field is required in a resource policy.

Will the following policy restrict access to just the roles matching the pattern?

{
  "Statement": [
    {
      "Action": [
        "secretsmanager:UpdateSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::12345678910:role/my_role_*"
        }
      },
      "Principal": { "AWS": "arn:aws:iam::12345678910:root" },
      "Effect": "Allow",
      "Resource": "arn:aws:secretsmanager:us-east-1:12345678910:secret:some-secret-1234",
      "Sid": "rp1"
    }
  ],
  "Version": "2012-10-17"
}

1 answers

solution1
 0  2023-01-16 18:39:30

Use the wildcard "All Principal": {"AWS": "*"} . The combination of a same-account Account Principal + wildcard condition works in role *trust* policies 1 but apparently not in *resource* policies 2 .

The IAM docs say:

You can specify the role principal as the principal in a resource-based policy or create a broad-permission policy [with a wildcard Principal] that uses the aws:PrincipalArn condition key.

Because the condition contains the account number, the All Principal is no more permissive than the Account Principal would be. Also, because the policy is always tied to a specific secret resource, the wildcard "*" Resoure is no more permissive than the secret name. Finally, while an ArnLike condition is not always equivalent to StringLike , it is identical in this case.

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {  "AWS" : "*" },
    "Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ],
    "Resource" : "arn:aws:secretsmanager:us-east-1:12345678910:secret:some-secret-1234",
    "Condition" : {
      "ArnLike" : {
        "aws:PrincipalArn" : "arn:aws:iam::12345678910:role/my_role_*"
      }
    }
  } ]
}

  1. See the wildcard permissions section of the AWS blog post How to use trust policies with IAM roles for a trust policy example.

  2. Error using a Lambda role + secrets manager resource policy with a same-account Account Principal: ...no identity-based policy allows the secretsmanager:GetSecretValue action .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS User is not authorized to access this resource AWS IAM, restricting an account to see and access only resources created by itself? Solving resource interdependencies in AWS Cloudformation, using AWS CDK Mimic user permissions on AWS EC2 instances using IAM roles Using Singleton Design Pattern for AWS Library AWS Secrets Manager Resource Policy to Deny all roles Except one Role AWS SQS Policy not restricting root user Deploy AWS SAM functions using already created roles How can I generate a list of all my IAM roles and the services using those roles on AWS Multi level authentication/authorization or approvals for access/delete resource in AWS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM