SCP to Block S3 Public Access at account level except for a lambda function

Question

There is a SCP to Deny access to Block Public Access settings in S3. The policy was later updated to Allow a specific lambda function to perform this action. The updated policy is given below. The assumption is that this policy should only allow the specified lambda function to perform this operation. But this policy is allowing the management IAM Role to perform this action. Please clarify why the SCP is allowing the IAM role to perform the action if only the lambda function is Allowed.

{
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:ArnNotLike":
{                     "aws:SourceArn": "arn:aws:lambda:*::function:function-name-s3-public-access"                 }

}
}

Also what would be a policy to allow the function to perform this action.

Accepted Answer

The following policy for the SCP is working as intended. 
```
{
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "ArnNotLike":
{                     "lambda:SourceFunctionArn": "arn:aws:lambda:*:*:function:function-name-s3-public-access"                 }

}
        }

}
```
With the above policy, no IAM role is able to edit the configuration, but the lambda is able to update the configuration. 
Thanks

Answer

Hello,

To answer your question regarding why the management IAM role is able to perform the `s3:PutAccountPublicAccessBlock` despite the SCP restricting the action to only the lambda function, it's because SCPs don't affect users or roles in the management account. 
Please reference this [documentation on SCPs](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) and note the section outlined in red near the top.

Answer

The SCP that you provided, denies access to the `s3:PutAccountPublicAccessBlock` action for all resources except for the specified Lambda function with the ARN `arn:aws:lambda:::function:function-name-s3-public-access`.

However, it's important to note that SCPs only control access at the account level and don't distinguish between different IAM roles within the account. So, if the IAM role you mentioned has permissions to perform the `s3:PutAccountPublicAccessBlock` action, it would still be allowed to do so, regardless of the SCP.

If you want to allow only the specified Lambda function to perform the `s3:PutAccountPublicAccessBlock` action, you would need to create an IAM policy and attach it to the IAM role associated with the Lambda function.

Use this IAM policy to allow the function to perform this action.

```JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access"
                }
            }
        }
    ]
}

```

>This policy actually allows the specified Lambda function to perform the `s3:PutAccountPublicAccessBlock` action on all S3 resources. Make sure to replace "function-name-s3-public-access" with the actual name of your Lambda function. Also, note that this policy should be attached to the IAM role that your Lambda function assumes.

SCP to Block S3 Public Access at account level except for a lambda function

관련 콘텐츠