使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to perform logical OR with condition for an action in a IAM policy

0

So I can't seem to find this but what I want to do is create a condition on an action in a policy based on tags.

Either the tag aws:RequestTag/owner OR the tag aws:ResourceTag/owner MUST be present AND be equal to "${aws:PrincipalTag/owner}" :

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            'aws:RequestTag/owner': "${aws:PrincipalTag/owner}",
            'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}"
        }
    }
}

The problem is that as it is current written above, this says that both the aws:RequestTag/owner AND the tag aws:ResourceTag/owner tags would be present which cant be true.

I need is so that at least one of those two tags is present and that they be equal to ${aws:PrincipalTag/owner} .

How do I accomplish this?

  • Kallu 專家
    2 年前

    As this snippet looks somewhat familiar :-) I should comment why there is AND, not OR. Condition is to state your API request must have the same owner=value as the resource does. Original version had StringEqualsIfExists to allow those cases where owner -tag isn't present or doesn't make sense. I'm not sure what would be the use-case for OR, as your requestTag comparision will always be true if you have tagged the IAM user or role you are using?

主題
安全性、身分識別與合規
標籤
安全性、身分識別與合規AWS Identity and Access Management
語言
English
chrisjd20
已提問 2 年前檢視次數 12074 次
2 個答案
3
已接受的答案

One way to approach this problem could be as follows :

{
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:RequestTag/owner': "${aws:PrincipalTag/owner}" }
     },
     {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}" }
     }
     ]
}

You can have multiple "Allow" constructs in a single IAM statement. Either of these could allow the action.

Dennis_A
已回答 2 年前
  • chrisjd20
    2 年前

    Oh duh lol Why didnt I think of this.

1

Create two separate statements:

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/owner": "${aws:PrincipalTag/owner}",
        }
    }
},
{
    "Sid": "AllowUnlessOwnedBySomeoneElse2",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
        }
    }
}

Make sure you also have a look at the page that details which services do and don't support ABAC as well.

AWS
Matt
已回答 2 年前
profile picture
專家
Kallu
已審閱 2 個月前
  • chrisjd20
    2 年前

    THanks, I should have thought of this.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容