Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 Bucket Policy for Federated User

1

I understand that Principle element is must for resource-based policies. Which means while creating S3 Bucket policy, I need to define Principle element. In my case, I want to define Bucket policy for Azure AD users.

I have already configured IAM Identity Center with Azure AD as external saml idp. I can login with Azure AD user to AWS console and access the resources using Permission sets.

How can I define Azure AD users (federated users) as Principle element in Bucket policy? I know there are other ways to manage S3 permissions, however I want to use only S3 Bucket policy (resource based policy). Is it possible to use federated user as Principle element in resource based policy?

Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS IAM Identitätszentrum
Sprache
English
Naresh
gefragt vor einem Jahr1520 Aufrufe
2 Antworten
1

Hi. You will be able to achieve your goal by using Condition element . BucketPolicy will like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UserID",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringLike": {
                    "aws:userId": "AROAEXAMPLEID:SSOUserName"
                }
            }
        }
    ]
}

You can find out what aws:userid variable is from here.

https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Each IAM entity (user or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname)

profile picture
EXPERTE
Hiroki Takahashi
beantwortet vor einem Jahr
  • Naresh
    vor einem Jahr

    Thanks for your response. It seems that in this way I need to use Role name. However In my case Azure AD user may be part of multiple roles / Permission sets. Would like to define policy based on AD users UserPrincipleName which will be unique.

  • Hiroki Takahashi EXPERTE
    vor einem Jahr

    I found similiar post.

    https://repost.aws/questions/QUpS_5uoExQqujbTTe02zGSA

    I think that you need to use UNIQUE-ROLE-ID (can be identified from Role name) with ROLE-SESSION-NAME (the user name used to sign into AWS Identity Center) to grant access anyway. So, if are using multiple roles, adding multiple statements in bucket policy will work.

0

Hi, you can use federated users as IAM Principals in policies: see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#sts-session-principals

This page provides an example:

"Principal": { "AWS": "arn:aws:sts::AWS-account-ID:federated-user/user-name" }

You can sophisticate this by using implicit variable ${AWS:UserId} and check other conditions on this Userid if needed (matches some pattern, etc.)

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor einem Jahr
  • Naresh
    vor einem Jahr

    Thanks for your response Didier. I tried to add Principle and It gives me error “Invalid principle in policy”.

    I am using user@domainname.onmicrosoft.com in place of user-name as this is Azure AD user.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt