By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Bucket Policy for Federated User

1

I understand that Principle element is must for resource-based policies. Which means while creating S3 Bucket policy, I need to define Principle element. In my case, I want to define Bucket policy for Azure AD users.

I have already configured IAM Identity Center with Azure AD as external saml idp. I can login with Azure AD user to AWS console and access the resources using Permission sets.

How can I define Azure AD users (federated users) as Principle element in Bucket policy? I know there are other ways to manage S3 permissions, however I want to use only S3 Bucket policy (resource based policy). Is it possible to use federated user as Principle element in resource based policy?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS IAM Identity Center
Language
English
Naresh
asked 10 months ago1445 views
2 Answers
1

Hi. You will be able to achieve your goal by using Condition element . BucketPolicy will like this.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "UserID",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringLike": {
                    "aws:userId": "AROAEXAMPLEID:SSOUserName"
                }
            }
        }
    ]
}

You can find out what aws:userid variable is from here.

https://aws.amazon.com/jp/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Each IAM entity (user or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname)

profile picture
EXPERT
Hiroki Takahashi
answered 10 months ago
  • Naresh
    10 months ago

    Thanks for your response. It seems that in this way I need to use Role name. However In my case Azure AD user may be part of multiple roles / Permission sets. Would like to define policy based on AD users UserPrincipleName which will be unique.

  • Hiroki Takahashi EXPERT
    10 months ago

    I found similiar post.

    https://repost.aws/questions/QUpS_5uoExQqujbTTe02zGSA

    I think that you need to use UNIQUE-ROLE-ID (can be identified from Role name) with ROLE-SESSION-NAME (the user name used to sign into AWS Identity Center) to grant access anyway. So, if are using multiple roles, adding multiple statements in bucket policy will work.

0

Hi, you can use federated users as IAM Principals in policies: see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#sts-session-principals

This page provides an example:

"Principal": { "AWS": "arn:aws:sts::AWS-account-ID:federated-user/user-name" }

You can sophisticate this by using implicit variable ${AWS:UserId} and check other conditions on this Userid if needed (matches some pattern, etc.)

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
  • Naresh
    10 months ago

    Thanks for your response Didier. I tried to add Principle and It gives me error “Invalid principle in policy”.

    I am using user@domainname.onmicrosoft.com in place of user-name as this is Azure AD user.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content