AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Can IAM policy be restricted to just temporary sessions (GetSessionToken)?

0

I want to create an IAM account that should just be used to create temporary session tokens and ListBucket in S3. The temporary sessions should then also be able to PutObject, GetObject and DeleteObject. I don't think this is possible with GetSessionToken since the temporary session would have the same restrictions as the original account. But I wasn't sure if there was some special principal or other conditions (like checking for a session token) that might make this work?

This is my basic policy...

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "SOME MAGIC SUGAR HERE???"
      },
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "my_s3_bucket_arn/*"
    },{
      "Effect": "Allow",
      "Principal": {
        "AWS": "SOME MAGIC SUGAR HERE???"
      },
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": "my_s3_bucket_arn"
    }
  ]
}

Do I need to use AssumeRole here instead so the temporary session gets different permission?

Thanks!

질문됨 5년 전979회 조회
2개 답변
1
수락된 답변

Hello,

If I understood correctly, you would like to allow S3 actions only if the requester is using temporary credentials.

In this case, you can use the "Null" condition operator [1] to check the existence of the "aws:TokenIssueTime" [2] Global condition key; as stated at the documentation [1], "If the user is using temporary credentials, then the key aws:TokenIssueTime exists and has a value."

The same documentation [1] brings an example which "the user MUST NOT be using temporary credentials (the key must not exist) for the user to use the Amazon EC2 API." (Which is the opposite of your case).

If you are planning to attach your policy to an IAM user, it should be like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "my_s3_bucket_arn/*",
            "Condition": {
                "Null": {
                    "aws:TokenIssueTime": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "my_s3_bucket_arn",
            "Condition": {
                "Null": {
                    "aws:TokenIssueTime": "false"
                }
            }
        }
    ]
}

Note: IAM identity-based policies (attached to IAM users, groups or roles) don't have the "Principal" element [3].

The above policy is checking if the "aws:TokenIssueTime" IS NOT Null, which means the entity should be using temporary credentials; in this case, the user will be able to call the allowed S3 API actions if it is using temporary credentials obtained using "GetSessionToken" or Assuming a role.

I hope this has answered your question!

References:

[1] IAM JSON Policy Elements: Condition Operators - Condition Operator to Check Existence of Condition Keys - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Null
[2] AWS Global Condition Context Keys - aws:TokenIssueTime - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tokenissuetime
[3] AWS JSON Policy Elements: Principal - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

답변함 5년 전
0

Thanks. That was exactly what I was looking for.

답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠