By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Principal ARN issue in S3 bucket policy

0

Hi AWS, I have to add more than 50 Principals (IAM Roles) in S3 bucket policy as the bucket is shared across 50 accounts and the role name is exactly same just for the simplicity purpose. Knowing the fact that there is a hard limit with the S3 bucket policy size i.e. 20KB, I am trying to use a wildcard (*) in place of account number like this

"Principal": {
              "AWS": "arn:aws:iam::*:role/your-role-name-in-aws1"
          }

OR

"Principal": {
              "AWS": "arn:aws:iam::*:root"
          }

But both of the syntax are giving errors. Previously till last year I believe this syntax was supported but maybe the newer code version has restricted this from security aspect. Can you please help if there is a similar syntax as I don't want to hardcode the AccountId field to avoid policy limit size exhaustion.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
profile picture
Arjun Goel
asked 23 days ago318 views
2 Answers
0

I would suggest that with that many accounts you move to Org ID(s) rather than Account IDs if possible. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid

aws:PrincipalOrgID

Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.

  • Availability – This key is included in the request context only if the principal is a member of an organization. Anonymous requests do not include this key.
  • Data type – String
  • Value type – Single-valued

This global key provides an alternative to listing all the account IDs for all AWS accounts in an organization. You can use this condition key to simplify specifying the Principal element in a resource-based policy. You can specify the organization ID in the condition element. When you add and remove accounts, policies that include the aws:PrincipalOrgID key automatically include the correct accounts and don't require manual updating.

For example, the following Amazon S3 bucket policy allows members of any account in the o-xxxxxxxxxxx organization to add an object into the policy-ninja-dev bucket.

 {
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "AllowPutObject",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::policy-ninja-dev/*",
    "Condition": {"StringEquals":
      {"aws:PrincipalOrgID":"o-xxxxxxxxxxx"}
    }
  }
}
profile pictureAWS
EXPERT
iBehr
answered 23 days ago
  • Leo K EXPERT
    23 days ago

    Note, however, that the aws:PrincipalOrgID key matches all AWS accounts in the entire organisation. If there are hundreds or thousands of production, staging, sandbox, etc. accounts and your intent is to allow access from 50 production accounts, for example, and not hundreds of lower environments or unrelated production accounts, you shouldn't use this key alone.

    In an organisation of some size, the "aws:PrincipalOrgPaths" key might be useful. It allows specifying entire organisation unit paths (roughly similar to a folder tree) where the accounts are placed in the organisation hierarchy. If the 50 accounts you're looking to grant are in one or a few OU paths separately from other accounts, you could specify the path to that single OU or parent OU with the "aws:PrincipalOrgPaths" request context condition key.

0

The "Principal" element is stored translated to the single, unique technical identifier of the principal, unless specified as a full wildcard ("*"). That's why you can't use it to specify wildcard patterns or principals that don't exist.

You can specify ARN patterns for the principal by making the "Principal" element a full wildcard and restricting the principals in the "Condition" element by inspecting the request context condition keys including "aws:PrincipalArn" and "aws:PrincipalAccount". However, you absolutely never should specify a wildcard for the 12-digit account ID segment. If you do, any current and future AWS account holder in the world (not just in your or your customer's company) will have access to the bucket.

For example:

{
    "Sid": "AllowCrossAccountObjectAccess",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::MY-BUCKET-NAME/*",
    "Condition": {
        "ArnLike": {
            "aws:PrincipalArn": [
                "arn:aws:iam::123456789012:role/*",
                "arn:aws:iam::234567890123:role/rolename2"
            ]
        }
    }
}

Or to allow all principals (all IAM users, all IAM roles, and root) in several entire account IDs:

{
    "Sid": "AllowObjectAccessToEntireAccountIds",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::MY-BUCKET-NAME/*",
    "Condition": {
        "StringEquals": {
            "aws:PrincipalAccount": [
                "123456789012",
                "234567890123"
            ]
        }
    }
}
EXPERT
Leo K
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content