Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Policy Condition for federated users

1

hi all, trying to understand how to write a resource policy where I want to DENY every user identity access unless that user identity has a permission set attached to it. So far I've got this but I am certain I've got the thinking wrong. Because if I run it then ${AWS:UserId} will be replaced by the identity of the account that is deploying the resource.

In a SSO setup, I've created few groups with users in those groups. The groups have permissions attached to them. I want the users belonging to a specific group have the correct permissions when they login using SSO and assume role. Uses from other groups should get a DENY.

Open to suggestions and help. Thanks in advance.

"Condition": {
                "ArnNotEquals": {
                    "aws:Principal": "arn:aws:sts::${AWS::AccountId}:federated-user/${AWS:UserId}"
                }
            }
Themen
Sicherheit, Identität & Konformität
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access ManagementAWS IAM Identitätszentrum
Sprache
English
rePost-User-7546581
gefragt vor 2 Jahren2830 Aufrufe
1 Antwort
0

Hi,

I understand that you want to write a resource policy to give least privilege policy to federated users.

Creating IAM Policies that grant least privilege is one of the best security practices[1] to create IAM role refer[2]. You can view the condition operators for Amazon Resource Name (ARN) on attached document[3]. The condition operator that you can use in a policy depends on the condition key you choose.

Please see the attached document [4] for reference identifiers.

I hope this helps

Resources:-

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

Asisipho
beantwortet vor 2 Jahren
  • rePost-User-1248462
    vor 2 Jahren

    thanks @Asisipho, I guess the problem here is that the policy will end up looking like this. With 50 odd users to add to the condition will make it tedious exercise.

    "Condition": {
                "ArnNotEquals": {
                    "aws:Principal": "arn:aws:sts::123456789012:federated-user/JohnDoe",
                    "aws:Principal": "arn:aws:sts::123456789012:federated-user/Paulo",
                    "aws:Principal": arn:aws:sts::123456789012:federated-user/JaneDoe",
                    "aws:Principal": arn:aws:sts::123456789012:federated-user/User..n"

                }
            }"

    Is there any other/better way to address OP's question. I am also looking for something similar.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt