Home > database >  IAM & Cross-account write to S3 bucket: Allow service principal based on organisation ID
IAM & Cross-account write to S3 bucket: Allow service principal based on organisation ID

Time:12-11

I have many AWS accounts. I enabled VPC flow logs to all of them, and I want to ship those logs to a central S3 bucket in my Log Archive Accounts.

An IAM policy that works is the following:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AWSLogDeliveryWrite",
        "Effect": "Allow",
        "Principal": {"Service": "delivery.logs.amazonaws.com"},
        "Action": "s3:PutObject",],
        "Resource": "arn:aws:s3:::central_log_archive_bucket",
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": <account_id-1>,
                "aws:SourceAccount": <account_id-2>,
                "aws:SourceAccount": <account_id-3>,
                ...
                "aws:SourceAccount": <account_id-N>
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:logs:*:<account_id-1>:*",
                "aws:SourceArn": "arn:aws:logs:*:<account_id-2>:*",
                "aws:SourceArn": "arn:aws:logs:*:<account_id-3>:*",
                ...
                "aws:SourceArn": "arn:aws:logs:*:<account_id-N>:*",

            }
        }
    }
  ]
}

I wanna simplify this. Instead of adding all account IDs like shown above, I wanna allow ANY VPC service that belongs in an AWS account under my organization to publish logs to the S3. In short, I want to do something like:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AWSLogDeliveryWrite",
        "Effect": "Allow",
        "Principal": {"Service": "delivery.logs.amazonaws.com"},
        "Action": "s3:PutObject",],
        "Resource": "arn:aws:s3:::central_log_archive_bucket",
        "Condition": {
         "StringEquals": {
          "aws:PrincipalOrgID": "ID"
         }
        }
    }
  ]
}

But I am seeing the following error message:

Unsupported Condition Key for Service Principal

Any idea how to make this work?

CodePudding user response:

As mentioned here https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html,

You can't use some condition keys with certain service principals. For example, you can't use the aws:PrincipalOrgID condition key with the service principal cloudfront.amazonaws.com. or other service like logs. You should remove condition keys that do not apply to the service principal in the Principal element.

You can automate it with a lambda in each account creation for example, to change the bucket policy...

  • Related