1. 技术文章
  2. Why is delegation to Account not working when it is specified as a NotPrincipal in a Bucket policy with Deny effect?

Why is delegation to Account not working when it is specified as a NotPrincipal in a Bucket policy with Deny effect?

吃可爱长大的小学妹 提交于 2021-01-07 02:35:07

问题


As per AWS documentation,

When you use an AWS account identifier as the principal in a policy, you delegate authority to the account.

This delegation works fine when an AWS account identifier is specified in the Principal element of an Allow statement of a Bucket policy. In this case, it is not required to specify the individual IAM users in the Principal element (Of course, there must be an IAM policy that grants the IAM users access to bucket).

However, this delegation does not appear to work when an AWS account identifier is specified in the NotPrincipal element of a Deny statement - Refer policy below. In this case, you still need to specify the individual IAM users within the Account to be excluded from the Deny - why is this so?

Let us say I have an Administrator user in an account but the following Bucket Policy denies S3 access even to this Administrator user.

Why is that the Administrator also needs to be specified in the NotPrincipal element in policy below? Specifying the ARN for account / root in NotPrincipal should have automatically excluded the Administrator or any IAM user in that account - right? Why is delegation to Account not working here in the case of NotPrincipal?

{
  "Version": "2012-10-17",
  "Id": "Policy1544958708832",
  "Statement": [
    {
      "Sid": "Stmt1544958705029",
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::<accountid>:root"
      },
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": ["arn:aws:s3:::<bucket>","arn:aws:s3:::<bucket>/*"]
    }
  ]
}

Update:
In a Bucket Policy, I find it difficult to understand the conflicting behavior with Effect:Allow, Principal: Account ARN and Effect:Deny, NotPrincipal:Account ARN. With Effect:Allow, Principal: Account ARN, the Account has delegation privileges i.e. Account can control using an IAM policy which IAM users can further be granted access. However, Effect:Deny, NotPrincipal:Account ARN does not seem to delegate (the exclusion of Deny) to the Account. Even if the IAM user inside Account has permissions via an IAM policy, it still needs to be specifically added in the NotPrincipal element.

To summarize, Effect:Allow, Principal: Account ARN says

Allow this Account and all its IAM users that are granted access by Account

Applying same logic, Effect:Deny, NotPrincipal:Account ARN should ideally say

Deny everyone except this Account and all its IAM users that are granted access by Account

But this is not the case, Effect:Deny, NotPrincipal:Account ARN does not seem to delegate the exclusion to the IAM users in the Account. They need to be specified explicitly in NotPrincipal element to be excluded.

Effect:Deny, NotPrincipal:Account ARN seems to include only the Account root but not its IAM users (even if IAM users have access eg:- Administrator in this case). On the contrary, Effect:Allow, Principal: Account ARN includes both the Account root and its IAM users (that has access via IAM policy).

来源:https://stackoverflow.com/questions/65042607/why-is-delegation-to-account-not-working-when-it-is-specified-as-a-notprincipal

标签
amazon-web-services
amazon-s3
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!