By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS trusted entity with multiple principal types and condition

0

have a Terraform code that generates a trusted entity like this that is attached to a role for cross-account access:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::444555666:root",
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "444-555-666-777-888"
                }
            }
        }
    ]
}

If I intend to allow the AWS account with an externalId to assume the role and I also want the AWS backup service to adopt the role, is the generated resource policy correct? I don't know if the policies engine will pick the condition and try to apply it to the account and also to the service, which is not desired.

Anybody knows if this is correct? are these kind of more complex rules documented by AWS?, I only have found info about simpler rules

I guess a way to ensure the correctness would be to separate both needs into different statements, but this is what the Terraform generates out of the provided HCL.

thanks

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
john_aws
asked 2 years ago1932 views
4 Answers
0

I believe that the trust policy that you want is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::444555666777:root",
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalAccount": [ 
                        "111222333444", 
                        "444555666777" 
                    ]
                }
            }
        }
    ]
}

where "111222333444" is the account hosting the role, assuming that you want AWS Backup to run in the same account as the role. If not, reduce the list to the single remote account, "444555666777", in the aws:PrincipalAccount condition statement. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalaccount for more information about aws:PrincipalAccount .

AWS
AWS-Everett
answered 2 years ago
0

Hi, thanks for the answer

indeed the vendor of the solution proposes the following policy to enable the backups:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

so this should work without specifying the same account ID

then, formerly I already had the following policy working:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::444555666:root",
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "444-555-666-777-888"
                }
            }
        }
    ]
}

the policy of the first post is the combination of the two policies that Terraform generates. However, I'm not sure if Terraform should have separated both policies into two statements or if it's correct. Notice that in your proposal and what I have written (Terraform) the policies engine has to figure out that the "Service": "backup.amazonaws.com" line only applies to the own account and not the external account ( "AWS": "arn:aws:iam::444555666:root",). The documentation of AWS doesn't specify if there's an array matching one to one, if there's an OR condition, etc. to determine what happens in this situation, so I'm wondering if someone knows about if the split in different statements is needed and how the statement is read by the IAM in case everything is put together into one statement.

john_aws
answered 2 years ago
0

If I understand you correctly this time, then yes, you can have a statement list. Also, use the aws:SourceAccount condition to restrict AWS backup to your local account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAWSBackupFromLocalAccount",
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": [ 
                        "111222333444"
                    ]
                }
            }
        },
        {
            "Sid": "AllowPrincipalsFromRemoteAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::444555666777:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}
AWS
AWS-Everett
answered 2 years ago
0

Hi, I'd need to include the "sts:ExternalId": "444-555-666-777-888" for the cross-account. However, the key point for me is if I can combine both statements into one as Terraform is generating. I don't know if then the condition applies to both principals or if the engine of aws iam is smart enough to detect the ( "sts:ExternalId": "444-555-666-777-888") as a condition only applies to the cross-account principal (and not to the service principal)

john_aws
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content