1. 技术文章
  2. How to provide multiple StringNotEquals conditions in AWS policy?

How to provide multiple StringNotEquals conditions in AWS policy?

被刻印的时光 ゝ 提交于 2019-12-05 21:23:40

问题


I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy):

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbccc"
         },
         "StringNotEquals": {
           "aws:sourceVpc": "vpc-111bbddd"
         }
       },
       "Principal": "*"
     }
   ]
}

If I use this:

"StringNotEquals": {
       "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
     }

then at least one of the string comparisons returns true and the S3 bucket is not accessible from anywhere.


回答1:


Never tried this before.But the following should work. From: Using IAM Policy Conditions for Fine-Grained Access Control

    "Condition": {
        "ForAllValues:StringNotEquals": {
            "aws:sourceVpc": [
                "vpc-111bbccc",
                "vpc-111bbddd"
            ]
        },



回答2:


The problem with your original JSON:

"Condition": {
    "StringNotEquals": {
        "aws:sourceVpc": "vpc-111bbccc"
    },
    "StringNotEquals": {
        "aws:sourceVpc": "vpc-111bbddd"
    }
}

You can't have duplicate keys named StringNotEquals.

But there a few ways to solve your problem.

Flip the conditional and specify Allow rather than Deny permissions

Self-explanatory: Use an Allow permission instead of Deny and then use StringEquals with an array. All the values will be taken as an OR condition.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Allow-access-only-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Allow",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringEquals": {
           "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
         }
       },
       "Principal": "*"
     }
   ]
}

Use a set operator

IAM policies allow the use of ForAnyValues and ForAllValues, which lets you test multiple values inside a Condition. 

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Deny-access-except-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "ForAllValues:StringNotEquals": {
           "aws:sourceVpc": ["vpc-111bbccc", "vpc-111bbddd"]
         }
       },
       "Principal": "*"
     }
   ]
}

Use a hack combination of StringNotEquals and StringNotEqualsIgnoreCase

I'm fairly certain this works, but it will only limit you to 2 VPCs in your conditionals.

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Deny-access-except-from-two-VPCs",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::my-bucket",
                    "arn:aws:s3:::my-bucket/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:sourceVpc": ["vpc-111bbccc"]
         },
         "StringNotEqualsIgnoreCase": {
           "aws:sourceVpc": ["vpc-111ddeee"]
         }
       },
       "Principal": "*"
     }
   ]
}


来源:https://stackoverflow.com/questions/46062084/how-to-provide-multiple-stringnotequals-conditions-in-aws-policy

标签
amazon-web-services
amazon-s3
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!