- 最新
- 最多得票
- 最多評論
You're right - the condition keys are to further secure credentials past just network boundaries and security (like you said, outside of VPCs and network CIDR block conditions).
aws:PrincipalIsAWSService can be used to ensure the call to your resource is being made directly by an AWS service principal. An example commonly given is CloudTrail, where you can limit access to an S3 Bucket so that an AWS Service (CloudTrail) can write logs to a bucket.
aws:ViaAWSService is slightly different and can be used to limit access to an AWS service makes a request to another service on your behalf.
The difference between them is the PrincipaIsAWSService will have a service principal, such as "cloudtrail.amazonaws.com" while the **viaAWSService **would use an IAM Principal (IAM role or User, but not a service role or service-linked role).
The exact evaluation for aws:PrincipalIsAWSService: " The request context key is set to true when a service uses a service principal to perform a direct action on your resources. The context key is set to false if the service uses the credentials of an IAM principal to make a request on the principal's behalf. It is also set to false if the service uses a service role or service-linked role to make a call on the principal's behalf."
The exact evaluation for aws:ViaAWSService: "The request context key returns true when a service uses the credentials of an IAM principal to make a request on behalf of the principal. The context key returns false if the service uses a service role or service-linked role to make a call on the principal's behalf. The request context key also returns false when the principal makes the call directly."
As for IfExists, if condition keys are only available in some circumstances (not global), and are missing from a request context, the policy can fail without IfExists. IfExists is evalauted as "If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true."
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
Thank you. Does this have any correlation back to the <servicename>.amazonaws.com or “AWS Internal” showing in the SourceIPAddress field? I think I probably need both conditions to round out some coverage. Thanks again!
相關內容
- AWS 官方已更新 1 年前