Home > Software design >  How to protect AWS tagged resources via SCP?
How to protect AWS tagged resources via SCP?

Time:11-09

I have a sensitive number of assets (Lambda, S3 Bucket, IAM...) I'd like to protect in case someone tries to erase a Bucket Policy, Delete a Function or do any harm to these resources. All of them are tagged as <<MY_KEY>>:<<MY_VALUE>>. The thing is that I'd like to do it in an Organization level since I have more than one AWS Account. I'm using this policy in an SCP.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyActionsOnTaggedResources",
      "Effect": "Deny",
      "Action": [
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicyForObjectLambda",
        "s3:PutBucketPublicAccessBlock",
        "s3:DeleteAccessPointPolicyForObjectLambda",
        "s3:PutMultiRegionAccessPointPolicy",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:DeleteAccessPointPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutAccessPointPolicy",
        "s3:BypassGovernanceRetention",
        "lambda:DeleteFunction",
        "lambda:DeleteCodeSigningConfig",
        "lambda:DeleteFunctionCodeSigningConfig",
        "lambda:AddLayerVersionPermission",
        "lambda:RemoveLayerVersionPermission",
        "lambda:EnableReplication",
        "lambda:AddPermission",
        "lambda:DisableReplication",
        "lambda:DeleteLayerVersion",
        "lambda:DeleteFunctionEventInvokeConfig",
        "lambda:PublishVersion",
        "lambda:CreateAlias",
        "lambda:RemovePermission",
        "iam:DeleteRole",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRolePolicy",
        "iam:DeleteUserPolicy",
        "iam:DeleteGroupPolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:AttachRolePolicy",
        "iam:PutRolePolicy",
        "iam:DeleteRolePermissionsBoundary",
        "iam:CreatePolicy",
        "iam:DetachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/<<MY_KEY>>": "<<MY_VALUE>>"
        },
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:role/<<MY_ROLE>>"
          ]
        }
      }
    }
  ]
}

For the sake of testing, whenever I put a role that is not my role, I am still able to modify the resources. Where is my mistake?

CodePudding user response:

Can you modify this StringNotEquals to StringNotLike and try that? As you are using a wildcard (*) in the Condition, StringNotEquals won't work. The rest of the policy looks sound.

String condition operators

I also recommended using the Access Analyzer to validate policies. This will catch similar errors when building policies. See Access Analyzer.

CodePudding user response:

People, Thanks for all the replies.

It turns out that @John Rotenstein is right. S3 API Calls does not support ResourceTag as a Condition.

Since this was a urgent demand at work, I ended up opening a Support Case at AWS and they replied this:

I understand you trying to restrict actions on an S3 bucket using the ResourceTag condition key.

Unfortunately, you cannot currently use the AWS:ResourceTag condition key to control access to the s3 bucket, please refer the following documentation[1]. In the documentation, you can see that only the resource type that currently supports the aws:ResourceTag condition key is "storagelensconfiguration". There is an existing feature request with the s3 service team to add support for the AWS:ResourceTag condition key which I have  1'd on your behalf.  I am unable to provide an ETA for when the feature might get released since I have no visibility over the processes of the service team. However, all new feature announcements will be made available on our What's new with AWS page[2].

When it comes to controlling access to s3 with the use of tags, we do have the examples in the following AWS Documentation[3] which uses the tags applied to specific objects to control access. It makes use of the condition keys, s3:ExistingObjectTag/<tag-key>, s3:RequestObjectTagKeys and s3:RequestObjectTag/<tag-key> to control access to certain S3 actions however it requires the individual objects to be tagged, it will not work with tags at the bucket level. I would suggest reading through the above linked documentation[3] and see if the solution described in it will meet your organizations needs.

I hope you find the above information helpful, please let me know if you have any additional questions.

[1] Actions, resources, and condition keys for Amazon S3 - https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
[2] What's New with AWS? - https://aws.amazon.com/new/
[3] Tagging and access control policies - https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html

Page link:https//www.codepudding.com/Softwaredesign/184042.html

Prev:@GetMapping("/") does not work in Elastic Beanstalk but works locally
Next:"Implicitly denied" when I've explicitly allowed S3 IAM user actions in AWS Policy Si
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding