By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can i merge this resource-based policy by using two condition blocks?

0

Hi, I am very new to creating resource-based policy. I created one from the template which AWS EventBridge has provided. Is it possible to merge the two statements by using two condition blocks?

{ "Version": "2012-10-17", "Statement": [{ "Sid": "AllowAllAccountsFromOrgToPutEvents", "Effect": "Allow", "Principal": "*", "Action": "events:PutEvents", "Resource": "arn:aws:events:us-east-1:accountID:event-bus/eventbusname", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "OrgID" } } }, { "Sid": "AllowStandardAccountToPutEvents", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::accountID:root" }, "Action": "events:PutEvents", "Resource": "arn:aws:events:us-east-1:accountID:event-bus/eventbusname" }] }

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
Anonymous
asked 10 months ago375 views
1 Answer
3
Accepted Answer

First policy:

This policy grants permissions to all members of your AWS Organizations to use the PutEvents action:

      {
  "Sid": "AllowAllAccountsFromOrgToPutEvents",
  "Effect": "Allow",
  "Principal": "*",
  "Action": "events:PutEvents",
  "Resource": "arn:aws:events:us-east-1:accountID:event-bus/eventbusname",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "OrgID"
    }
  }
}

Second policy

In the second policy, note that, I changed accountID to accountID_1 and accountID_2 to explain the exact purpose of this policy:

  {
  "Sid": "AllowStandardAccountToPutEvents",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::accountID_1:root"
  },
  "Action": "events:PutEvents",
  "Resource": "arn:aws:events:us-east-1:accountID_2:event-bus/eventbusname"
}

This policy grants the account accountID_1 permission to publish events to the specified event bus in the account accountID_2.

Now accountID_1 and accountID_2 can be same, which means that at resource(eventbus) side, all identities are granted PutEvents to this event bus in the same account. In that case, this would not be required and can be removed.

Both of these resource policies serve different purposes, first one grants all member accounts access, while second one grants PutEvents access to a particular account.

Conclusion:

  1. If you want to allow only your member accounts PutEvents access then second policy can be removed, but you may have requirement to grant any individual account as well, which is not part of org, then you'd want to keep both. So it all depends on your exact requirement.

  2. If you want to allow any specific account which is part of the org or outside of org, but not all member accounts, then keep second one and remove first. To mention again accountID_1 is grantee and accountID_2 is grantor.

  3. If you want to allow all your org member accounts not any account specifically, then keep first one and remove second one.

Additionally, look at Event Bus Permissions, which would help you to understand more about these permissions.

Feel free to comment here, if you have additional questions, glad to help.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 10 months ago
  • Anonymous
    10 months ago

    Thank you for your thorough response, Abhishek! My requirement is to allow all accounts in the organization as well as a standard account; I understand that I must keep both policies, but is there any way I can combine them into a single policy?

  • secondabhi_aws EXPERT
    10 months ago

    Is there any common pattern between that one account and all member accounts in the org, on that basis, I can definitely suggest if there is any condition statement can be utilized. If there is no common pattern, then no, those two policies must exist, until you prefer to mention each account explicitly(all member accounts and that one account) in the principal, definitely not recommended as it would create operational overhead for adding account each time when a new account gets created in the org.

    Will wait to hear from you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content