By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws:principalisawsservice vs aws:viaawsservice examples on when to use them?

0

In my experience I have used aws: viaawsservice in combination with SourceIP/SourceVPC in SCP and IAM policy to prevent credentials from being used outside of VPCs and network CIDR blocks that were specific to the roles. However, I am noticing many documents are now updated or created to show aws:principalisawsservice and also liberal use of “ifexists”. I am wondering if anyone can provide any details or experience of when it’s right use one condition over the other? Should we ever use both?

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access Management
Language
English
houston
asked 2 years ago3121 views
2 Answers
0

You're right - the condition keys are to further secure credentials past just network boundaries and security (like you said, outside of VPCs and network CIDR block conditions).

aws:PrincipalIsAWSService can be used to ensure the call to your resource is being made directly by an AWS service principal. An example commonly given is CloudTrail, where you can limit access to an S3 Bucket so that an AWS Service (CloudTrail) can write logs to a bucket.

aws:ViaAWSService is slightly different and can be used to limit access to an AWS service makes a request to another service on your behalf.

The difference between them is the PrincipaIsAWSService will have a service principal, such as "cloudtrail.amazonaws.com" while the **viaAWSService **would use an IAM Principal (IAM role or User, but not a service role or service-linked role).

The exact evaluation for aws:PrincipalIsAWSService: " The request context key is set to true when a service uses a service principal to perform a direct action on your resources. The context key is set to false if the service uses the credentials of an IAM principal to make a request on the principal's behalf. It is also set to false if the service uses a service role or service-linked role to make a call on the principal's behalf."

The exact evaluation for aws:ViaAWSService: "The request context key returns true when a service uses the credentials of an IAM principal to make a request on behalf of the principal. The context key returns false if the service uses a service role or service-linked role to make a call on the principal's behalf. The request context key also returns false when the principal makes the call directly."

As for IfExists, if condition keys are only available in some circumstances (not global), and are missing from a request context, the policy can fail without IfExists. IfExists is evalauted as "If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true."

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

jsonc
answered 2 years ago
0

Thank you. Does this have any correlation back to the <servicename>.amazonaws.com or “AWS Internal” showing in the SourceIPAddress field? I think I probably need both conditions to round out some coverage. Thanks again!

houston
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content