By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to perform logical OR with condition for an action in a IAM policy

0

So I can't seem to find this but what I want to do is create a condition on an action in a policy based on tags.

Either the tag aws:RequestTag/owner OR the tag aws:ResourceTag/owner MUST be present AND be equal to "${aws:PrincipalTag/owner}" :

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            'aws:RequestTag/owner': "${aws:PrincipalTag/owner}",
            'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}"
        }
    }
}

The problem is that as it is current written above, this says that both the aws:RequestTag/owner AND the tag aws:ResourceTag/owner tags would be present which cant be true.

I need is so that at least one of those two tags is present and that they be equal to ${aws:PrincipalTag/owner} .

How do I accomplish this?

  • Kallu EXPERT
    2 years ago

    As this snippet looks somewhat familiar :-) I should comment why there is AND, not OR. Condition is to state your API request must have the same owner=value as the resource does. Original version had StringEqualsIfExists to allow those cases where owner -tag isn't present or doesn't make sense. I'm not sure what would be the use-case for OR, as your requestTag comparision will always be true if you have tagged the IAM user or role you are using?

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access Management
Language
English
chrisjd20
asked 2 years ago11835 views
2 Answers
3
Accepted Answer

One way to approach this problem could be as follows :

{
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:RequestTag/owner': "${aws:PrincipalTag/owner}" }
     },
     {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}" }
     }
     ]
}

You can have multiple "Allow" constructs in a single IAM statement. Either of these could allow the action.

Dennis_A
answered 2 years ago
  • chrisjd20
    2 years ago

    Oh duh lol Why didnt I think of this.

1

Create two separate statements:

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/owner": "${aws:PrincipalTag/owner}",
        }
    }
},
{
    "Sid": "AllowUnlessOwnedBySomeoneElse2",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
        }
    }
}

Make sure you also have a look at the page that details which services do and don't support ABAC as well.

AWS
Matt
answered 2 years ago
profile picture
EXPERT
Kallu
reviewed 2 months ago
  • chrisjd20
    2 years ago

    THanks, I should have thought of this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content