By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP to Block S3 Public Access at account level except for a lambda function

0

There is a SCP to Deny access to Block Public Access settings in S3. The policy was later updated to Allow a specific lambda function to perform this action. The updated policy is given below. The assumption is that this policy should only allow the specified lambda function to perform this operation. But this policy is allowing the management IAM Role to perform this action. Please clarify why the SCP is allowing the IAM role to perform the action if only the lambda function is Allowed.

{ "Sid": "DenyS3PublicAccess", "Effect": "Deny", "Action": "s3:PutAccountPublicAccessBlock", "Resource": "", "Condition": { "ForAnyValue:ArnNotLike": { "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access" }

        }

}

Also what would be a policy to allow the function to perform this action.

Topics
StorageServerlessComputeSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceAWS LambdaAWS Identity and Access ManagementIAM PoliciesService Control Policy
Language
English
sreekanth
asked 25 days ago503 views
3 Answers
1
Accepted Answer

The following policy for the SCP is working as intended.

{
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "ArnNotLike":
{                     "lambda:SourceFunctionArn": "arn:aws:lambda:*:*:function:function-name-s3-public-access"                 }

            }
        }

}

With the above policy, no IAM role is able to edit the configuration, but the lambda is able to update the configuration. Thanks

sreekanth
answered 25 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 24 days ago
1

The SCP that you provided, denies access to the s3:PutAccountPublicAccessBlock action for all resources except for the specified Lambda function with the ARN arn:aws:lambda:::function:function-name-s3-public-access.

However, it's important to note that SCPs only control access at the account level and don't distinguish between different IAM roles within the account. So, if the IAM role you mentioned has permissions to perform the s3:PutAccountPublicAccessBlock action, it would still be allowed to do so, regardless of the SCP.

If you want to allow only the specified Lambda function to perform the s3:PutAccountPublicAccessBlock action, you would need to create an IAM policy and attach it to the IAM role associated with the Lambda function.

Use this IAM policy to allow the function to perform this action.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:lambda:::function:function-name-s3-public-access"
                }
            }
        }
    ]
}

This policy actually allows the specified Lambda function to perform the s3:PutAccountPublicAccessBlock action on all S3 resources. Make sure to replace "function-name-s3-public-access" with the actual name of your Lambda function. Also, note that this policy should be attached to the IAM role that your Lambda function assumes.

profile picture
Bhagavan Bollina
answered 25 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 25 days ago
  • sreekanth
    25 days ago

    The function already have a policy that allows s3:PutAccountPublicAccessBlock.

    {
            "Action": [
                "s3:GetAccountPublicAccessBlock",
                "s3:PutAccountPublicAccessBlock"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
1

Hello,

To answer your question regarding why the management IAM role is able to perform the s3:PutAccountPublicAccessBlock despite the SCP restricting the action to only the lambda function, it's because SCPs don't affect users or roles in the management account. Please reference this documentation on SCPs and note the section outlined in red near the top.

AWS
Alex Kolbin
answered 25 days ago
  • sreekanth
    25 days ago

    Tried a different policy and it is denying access to the same IAM role. But it doesn't allow the lambda function as well.

    {
            "Sid": "DenyS3PublicAccess",
            "Effect": "Deny",
            "Action": "s3:PutAccountPublicAccessBlock",
            "Resource": "*",
            "Condition": {
                "StringNotEquals":
{                     "aws:SourceArn": "arn:aws:lambda:*::function:function-name-s3-public-access"                 }

            }
}

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content