- Newest
- Most votes
- Most comments
I would suggest that with that many accounts you move to Org ID(s) rather than Account IDs if possible. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid
aws:PrincipalOrgID
Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.
- Availability – This key is included in the request context only if the principal is a member of an organization. Anonymous requests do not include this key.
- Data type – String
- Value type – Single-valued
This global key provides an alternative to listing all the account IDs for all AWS accounts in an organization. You can use this condition key to simplify specifying the Principal element in a resource-based policy. You can specify the organization ID in the condition element. When you add and remove accounts, policies that include the aws:PrincipalOrgID key automatically include the correct accounts and don't require manual updating.
For example, the following Amazon S3 bucket policy allows members of any account in the o-xxxxxxxxxxx organization to add an object into the policy-ninja-dev bucket.
{ "Version": "2012-10-17", "Statement": { "Sid": "AllowPutObject", "Effect": "Allow", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::policy-ninja-dev/*", "Condition": {"StringEquals": {"aws:PrincipalOrgID":"o-xxxxxxxxxxx"} } } }
The "Principal" element is stored translated to the single, unique technical identifier of the principal, unless specified as a full wildcard ("*"). That's why you can't use it to specify wildcard patterns or principals that don't exist.
You can specify ARN patterns for the principal by making the "Principal" element a full wildcard and restricting the principals in the "Condition" element by inspecting the request context condition keys including "aws:PrincipalArn" and "aws:PrincipalAccount". However, you absolutely never should specify a wildcard for the 12-digit account ID segment. If you do, any current and future AWS account holder in the world (not just in your or your customer's company) will have access to the bucket.
For example:
{
"Sid": "AllowCrossAccountObjectAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY-BUCKET-NAME/*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::123456789012:role/*",
"arn:aws:iam::234567890123:role/rolename2"
]
}
}
}
Or to allow all principals (all IAM users, all IAM roles, and root) in several entire account IDs:
{
"Sid": "AllowObjectAccessToEntireAccountIds",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MY-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": [
"123456789012",
"234567890123"
]
}
}
}
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
Note, however, that the aws:PrincipalOrgID key matches all AWS accounts in the entire organisation. If there are hundreds or thousands of production, staging, sandbox, etc. accounts and your intent is to allow access from 50 production accounts, for example, and not hundreds of lower environments or unrelated production accounts, you shouldn't use this key alone.
In an organisation of some size, the "aws:PrincipalOrgPaths" key might be useful. It allows specifying entire organisation unit paths (roughly similar to a folder tree) where the accounts are placed in the organisation hierarchy. If the 50 accounts you're looking to grant are in one or a few OU paths separately from other accounts, you could specify the path to that single OU or parent OU with the "aws:PrincipalOrgPaths" request context condition key.