How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?

Question

Hello,

I have a landing zone created with Control Tower (Audit and Logging account and so on) In the logging account I have an S3 bucket in which I want to receive the VPC Flow logs from all current and future accounts from that organization. So, I want to create a bucket policy that only allows receiving VPC Flow logs as long as the source account is in the organization. The new accounts are created with Control Tower account factory by other teams in a self service fashion so I need to filter by organization, not account ids or specific ARNs.

According to the VPC Flow logs user guide, you have to add the following statement (and another similar one but let's simplify things) to the S3 bucket policy to the destination bucket:

```
{
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {"Service": "delivery.logs.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "my-s3-arn",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": account_id
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:logs:region:account_id:*"
                }
            }
        }
```
As I need to filter by organization and not by account, I tried using the aws:PrincipalOrgID condition key instead of the SourceAccount and SourceArn. However, I get an error saying that the aws:PrincipalOrgID does not support service principals and I cannot create the policy.

I also tried with the aws:PrincipalOrgPaths condition key. Then, it lets me create the policy but when I try to create the Flow log it says "Access Denied for LogDestination: bucket_name. Please check LogDestination permissions."

I have also tried keeping the principal as "*" and adding the "aws:PrincipalServiceName": "delivery.logs.amazonaws.com" to the condition but I get the same error when trying to create the Flow logs.

Does anyone have any idea on how can I do that?

Thanks in advance

posquit0 · Accepted Answer

You cannot use any conditions related with organization, because the service principal is not a member of your organization.

Just delete all conditions related to Account ID is a simple stupid solution. And keep S3 bucket name as secret. I believe that `delivery.logs.amazonaws.com` service is safe enough.

```
{
   "Sid":"AWSLogDeliveryWrite",
   "Effect":"Allow",
   "Principal":{
      "Service":"delivery.logs.amazonaws.com"
   },
   "Action":"s3:PutObject",
   "Resource":"my-s3-arn",
   "Condition":{
      "StringEquals":{
         "s3:x-amz-acl":"bucket-owner-full-control"
      }
   }
}
```

I know it is not best, but simple! :)

suzuki · Answer

F.Y.I.
In Nov 13 2023 , aws:SourceOrgID and aws:SourceOrgPaths have been released. 
You can restrict specific organization accounts that are able to delivery flow logs to s3 bucket.

https://aws.amazon.com/about-aws/whats-new/2023/11/organization-wide-iam-condition-keys-restrict-aws-service-to-service-requests/?nc1=h_ls
https://aws.amazon.com/jp/blogs/security/use-scalable-controls-for-aws-services-accessing-your-resources/

Michaela · Answer

In Nov 2023 AWS [announced](https://aws.amazon.com/about-aws/whats-new/2023/11/organization-wide-iam-condition-keys-restrict-aws-service-to-service-requests/) `AWS:SourceOrgID` condition that can be used to limit access to an org via service. You can secure your buckets again.

An example policy that works for us:
```
{
    "Version": "2012-10-17",
    "Id": "CrossAccountAccess",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceOrgID": "o-xxxx"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceOrgID": "o-zzzz"
                }
            }
        }
    ]
}
```

AWS-User-shashank-1729 · Answer

I am creating central S3 bucket to get all VPC flow logs from many accounts within my org.. I using the principal org ID as the condition, however ideally we'd prevent one account overwriting another account's data, how can i make more cahnges to the following policy to be able to follow principle of least privilege ?

S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
AWS: '*'
Action:
- s3:ListBucket
- s3:PutObject
- s3:GetBucketAcl
Resource:
- 'arn:aws:s3:::testpolicycfns3vpc'
- 'arn:aws:s3:::testpolicycfns3vpc/*'
Condition:
StringEquals:
aws:PrincipalOrgID: x-xxxxxxx

Refrence links :
https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

Ankush_s786 · Answer

Use below bucket Policy with aws:ResourceOrgID condition.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name/*”,
                "arn:aws:s3:::bucket_name"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceOrgID": “o-xyzz"
                }
            }
        }
    ]
}
```

AWS-CIA-Robert-C · Answer

Just get rid of the service principal:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::flow-logs-bucket/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-aaa123bbb456",
                    "s3:x-amz-acl":"bucket-owner-full-control"
                }
            }
        }
    ]
}
```

rePost-User-2832841 · Answer

Hello,

You can use "aws:ResourceOrgID" condition statement with the same and that should be working with your usecase. This lets the service related principals to only do mentioned actions when the resource org equals to the org id of the organization. You can use a condition as this -> "aws:ResourceOrgID": "${aws:PrincipalOrgID}"

Here is the documentation -> https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid

How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?

S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3Bucket PolicyDocument: Version: '2012-10-17' Statement:

Relevant content