By using AWS re:Post, you agree to the Terms of Use

Confusion around SCP and IAM policy intersection ?

0

Hi forum,

I've recently started to use organizations (in a test account).

I have a user, let's call them NotOwner, that has the following IAM policy, via group policy only (no boundaries), full S3 access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

The user is invited, and accepted, into an OU with the following policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Action": [
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

However, I can still affect s3:PutBucketPolicy from that user (i.e. edit the bucket policy).

I'm I missing what SCP does? I thought if this policy intersected with the Not Owner IAM policy I would be denied s3:PutBucketPolicy ? I also deleted the user and created the user after setting up organizations. It also works if I set the policy as a boundary on the user directly.

Regards

--- Extra Info ---

The owner of the bucket is another account, let's call them Owner, and that account has explicitly given permissions to this account via these policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::111111111111:root",
                    "arn:aws:iam::111111111111:user/NotOwner",
                    "arn:aws:iam::111111111111:user/Owner"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Edited by: davporte on Jan 27, 2020 10:42 PM

Ah ok, I'm telling S3 ok, go for it so IAM don't matter !

asked 3 years ago23 views
1 Answer
0

I think I answered myself, IAM is not relevant S3 says the user can do this to this bucket so they can.
And considering, I was in an IAM account under the Organizations root, that is also not surprising!

Once I logged out/in into an account under the correct OU, it all worked fine!

Edited by: davporte on Jan 27, 2020 10:45 PM

Edited by: davporte on Jan 28, 2020 3:58 AM

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions