Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM Policy Grammar - Clarification

0

Had a question around the policy grammar of IAM. In https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes, towards the end of the grammar it says,

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number" | "Boolean")

However, in this page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html, I see the following example,

"Condition": {
  "StringEqualsIgnoreCase": {
    "aws:PrincipalTag/department": [ "finance", "hr", "legal" ],
    "aws:PrincipalTag/role": [ "audit", "security" ]
  },
  "StringEquals": {
    "aws:PrincipalAccount": "123456789012"
  }
}

So, shouldn't the grammar be the following?

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list>, 
                              <condition_key_string> : <condition_value_list>,
                              ...
                             },
  <condition_type_string> : { <condition_key_string> : <condition_value_list>, 
                              <condition_key_string> : <condition_value_list>,
                              ...
                             },
  ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]

Did I not understand correctly? If I did, which one is correct, the example or the grammar?

Themen
Sicherheit, Identität & KonformitätAWS Framework mit guter Struktur
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access ManagementSicherheitIAM-Richtlinien
Sprache
English
flyingknife
gefragt vor einem Jahr239 Aufrufe
1 Antwort
0

Both of them are correct. As you can see below(I just enter the example condition into policy grammar), the example policy is following the policy grammar.

<condition_block> = "Condition" : { <condition_map> }
<condition_map> = { 
  <StringEqualsIgnoreCase> : { <aws:PrincipalTag/department> : <[ "finance", "hr", "legal" ]>, 
                               <aws:PrincipalTag/role> : <[ "audit", "security" ]>,
                              ...
                             },
  <StringEquals> : { <aws:PrincipalAccount> : < 123456789012 >
                              ...
                             },
  ...
profile pictureAWS
Eunsu_Shin
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt