Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

SCP to Block S3 Public Access at account level except for a lambda function

0

There is a SCP to Deny access to Block Public Access settings in S3. The policy was later updated to Allow a specific lambda function to perform this action. The updated policy is given below. The assumption is that this policy should only allow the specified lambda function to perform this operation. But this policy is allowing the management IAM Role to perform this action. Please clarify why the SCP is allowing the IAM role to perform the action if only the lambda function is Allowed.

{ "Sid": "DenyS3PublicAccess", "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "", "Condition": { "ForAnyValue:ArnNotLike": { "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access" }

        }

}

Also what would be a policy to allow the function to perform this action.

Themen
SpeicherServerlosKalkulationSicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS LambdaAWS Identity and Access ManagementIAM-RichtlinienRichtlinie zur Dienstleistungskontrolle
Sprache
English
sreekanth
gefragt vor einem Monat527 Aufrufe
3 Antworten
1
Akzeptierte Antwort

The following policy for the SCP is working as intended.

{
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "ArnNotLike":
{                     "lambda:SourceFunctionArn": "arn:aws:lambda:*:*:function:function-name-s3-public-access"                 }

            }
        }

}

With the above policy, no IAM role is able to edit the configuration, but the lambda is able to update the configuration. Thanks

sreekanth
beantwortet vor einem Monat
profile picture
EXPERTE
Oleksii Bebych
überprüft vor einem Monat
1

The SCP that you provided, denies access to the s3:PutAccountPublicAccessBlock action for all resources except for the specified Lambda function with the ARN arn:aws:lambda:::function:function-name-s3-public-access.

However, it's important to note that SCPs only control access at the account level and don't distinguish between different IAM roles within the account. So, if the IAM role you mentioned has permissions to perform the s3:PutAccountPublicAccessBlock action, it would still be allowed to do so, regardless of the SCP.

If you want to allow only the specified Lambda function to perform the s3:PutAccountPublicAccessBlock action, you would need to create an IAM policy and attach it to the IAM role associated with the Lambda function.

Use this IAM policy to allow the function to perform this action.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access"
                }
            }
        }
    ]
}

This policy actually allows the specified Lambda function to perform the s3:PutAccountPublicAccessBlock action on all S3 resources. Make sure to replace "function-name-s3-public-access" with the actual name of your Lambda function. Also, note that this policy should be attached to the IAM role that your Lambda function assumes.

profile picture
Bhagavan Bollina
beantwortet vor einem Monat
profile picture
EXPERTE
Adeleke Adebowale J
überprüft vor einem Monat
  • sreekanth
    vor einem Monat

    The function already have a policy that allows s3:PutAccountPublicAccessBlock.

    {
            "Action": [
                "s3:GetAccountPublicAccessBlock",
                "s3:PutAccountPublicAccessBlock"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
1

Hello,

To answer your question regarding why the management IAM role is able to perform the s3:PutAccountPublicAccessBlock despite the SCP restricting the action to only the lambda function, it's because SCPs don't affect users or roles in the management account. Please reference this documentation on SCPs and note the section outlined in red near the top.

AWS
Alex Kolbin
beantwortet vor einem Monat
  • sreekanth
    vor einem Monat

    Tried a different policy and it is denying access to the same IAM role. But it doesn't allow the lambda function as well.

    {
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "StringNotEquals":
{                     "aws:SourceArn": "arn:aws:lambda:*::function:function-name-s3-public-access"                 }

            }
}

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt