- Newest
- Most votes
- Most comments
The condition key aws:PrincipalOrgPaths
indicates the OU location of the IAM role, IAM user, or root user that is initiating the creation of the VPC peering connection. It's always local to the account that initiates the creation of the peering connection. This key doesn't reflect the properties of the peering connection, such as the account ID of the VPC being peered with.
The equivalent condition keys that describe the target resources of a request include aws:ResourceOrgPaths
and aws:ResourceAccount
. However, It's separately documented that the ec2:CreateVpcPeeringConnection
permission doesn't support either of those keys, so there's no way to control this particular action based on OU path directly: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths.
More complex workarounds could be possible, such as having a Lambda function populate VPCs and the IAM roles that are used to create peering connections with custom resource and principal tags to reflect the OU locations of both the VPCs and IAM roles. An SCP could prevent those tags from being manipulated by untrusted principals. The ec2:CreateVpcPeeringConnection
permission could then be restricted based on the ec2:ResourceTag/MyVpcTagKey
or aws:ResourceTag/MyVpcTagKey
condition key for the VPC, with the other side of the comparison provided as ${aws:PrincipalTag/MyRoleTagKey}
to reference the role's tag as an IAM policy variable: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html.
Documentation doesn't explicitly state whether the ec2:CreateVpcPeeringConnection
action supports inspecting the resource tags of the target VPC or only the local VPC, but if you want to pursue this more complex avenue, it should be one of the quicker steps to verify.
Relevant content
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago