All geek questions in one place

How to provide multiple StringNotEquals conditions in an AWS policy?

I am trying to write an AWS S3 byte policy that denies all traffic unless it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals(with the exception of an invalid policy):

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbccc"
         },
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbddd"
         }
       },
       "Principal": "*"
     }
   ]
}

If I use this:

"StringNotEquals": {
       "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
     }

then at least one of the string comparisons returns true, and the S3 bucket is not available anywhere.

+4
source share
2 answers

Never tried this before. But the following should work. From: Using IAM Fine-Grained Access Control Terms

    "Condition": {
        "ForAllValues:StringNotEquals": {
            "aws:sourceVpc": [
                "vpc-111bbccc",
                "vpc-111bbddd"
            ]
        },
+2

JSON:

"Condition": {
    "StringNotEquals": {
        "aws:sourceVpc": "vpc-111bbccc"
    },
    "StringNotEquals": {
        "aws:sourceVpc": "vpc-111bbddd"
    }
}

StringNotEquals.

.

Allow, Deny

: Allow Deny, StringEquals . OR.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringEquals": {
           "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
         }
       },
       "Principal": "*"
     }
   ]
}

set

IAM ForAnyValues ForAllValues, Condition.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Deny-access-except-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "ForAllValues:StringNotEquals": {
           "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
         }
       },
       "Principal": "*"
     }
   ]
}

StringNotEquals StringNotEqualsIgnoreCase

, , VPC .

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Deny-access-except-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": ["vpc-111bbccc"]
         },
         "StringNotEqualsIgnoreCase": {
           "aws:sourceVpc": ["vpc-111ddeee"]
         }
       },
       "Principal": "*"
     }
   ]
}
+1

Source: https://habr.com/ru/post/1685113/

More articles:


All Articles