- Newest
- Most votes
- Most comments
The following policy for the SCP is working as intended.
{
"Sid": "DenyS3PublicAccess",
"Effect": "Deny",
"Action": "s3:PutAccountPublicAccessBlock",
"Resource": "*",
"Condition": {
"ArnNotLike":
{ "lambda:SourceFunctionArn": "arn:aws:lambda:*:*:function:function-name-s3-public-access" }
}
}
}
With the above policy, no IAM role is able to edit the configuration, but the lambda is able to update the configuration. Thanks
The SCP that you provided, denies access to the s3:PutAccountPublicAccessBlock
action for all resources except for the specified Lambda function with the ARN arn:aws:lambda:::function:function-name-s3-public-access
.
However, it's important to note that SCPs only control access at the account level and don't distinguish between different IAM roles within the account. So, if the IAM role you mentioned has permissions to perform the s3:PutAccountPublicAccessBlock
action, it would still be allowed to do so, regardless of the SCP.
If you want to allow only the specified Lambda function to perform the s3:PutAccountPublicAccessBlock
action, you would need to create an IAM policy and attach it to the IAM role associated with the Lambda function.
Use this IAM policy to allow the function to perform this action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access" } } } ] }
This policy actually allows the specified Lambda function to perform the
s3:PutAccountPublicAccessBlock
action on all S3 resources. Make sure to replace "function-name-s3-public-access" with the actual name of your Lambda function. Also, note that this policy should be attached to the IAM role that your Lambda function assumes.
Hello,
To answer your question regarding why the management IAM role is able to perform the s3:PutAccountPublicAccessBlock
despite the SCP restricting the action to only the lambda function, it's because SCPs don't affect users or roles in the management account.
Please reference this documentation on SCPs and note the section outlined in red near the top.
Tried a different policy and it is denying access to the same IAM role. But it doesn't allow the lambda function as well.
{ "Sid": "DenyS3PublicAccess", "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "*", "Condition": { "StringNotEquals": { "aws:SourceArn": "arn:aws:lambda:*::function:function-name-s3-public-access" } } }
Relevant content
- asked 10 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
The function already have a policy that allows s3:PutAccountPublicAccessBlock.