Question 383323 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How do I allow a single ARN to forego my deny SCP policy?

This is my first time working with AWS SCPs. Hello everyone!

I am designing an AWS test SCP policy and I am curious to understand why this doesn’t work. The goal is to deny all network modifications except for this ARN arn:aws:sts::1111111:assumed-role/myawsrole/[email protected]. I am currently testing this SCP to only evaluate this one ARN for now. But I am still getting an implicit deny error message when arn:aws:sts::1111111:assumed-role/myawsrole/[email protected] tries to create a VPC or any other actions listed in the SCP. I checked cloudtrail logs and the ARN I am using in the ArnNotLike operator should work. Any guidance would be helpful!

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyCompanyNetworkPolicy",
            "Effect": "Deny",
            "Action": [
                "ec2:CreateInternetGateway",
                "ec2:AttachInternetGateway",
                "ec2:CreateTransitGateway",
                "ec2:CreateTransitGatewayPeeringAttachment",
                "ec2:CreateTransitGatewayRoute",
                "ec2:CreateTransitGatewayRouteTable",
                "ec2:CreateTransitGatewayVpcAttachment",
                "ec2:CreateVpc",
                "ec2:CreateVpcPeeringConnection",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnConnectionRoute",
                "ec2:CreateVpnGateway",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSubnet",
                "ec2:DeleteTransitGateway",
                "ec2:DeleteTransitGatewayRoute",
                "ec2:DeleteTransitGatewayRouteTable",
                "ec2:DeleteVpc",
                "ec2:ModifyTransitGateway",
                "ec2:ModifyTransitGatewayVpcAttachment",
                "ec2:ModifyVpcPeeringConnectionOptions",
                "ec2:ModifyVpcTenancy",
                "ec2:ModifyVpnConnection",
                "ec2:RejectTransitGatewayPeeringAttachment",
                "ec2:RejectTransitGatewayVpcAttachment"
            ],
            "Resource": "*",
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:sts::1111111:assumed-role/myawsrole/[email protected]"
                    ]
                }
            }
        }
    ]
}

I tried changing the global operator from ArnNotLike to StringNotLike. I read documentation and it seems like I am doing it correctly unless I have an oversight in my policy. I expected the ARN arn:aws:sts::1111111:assumed-role/myawsrole/[email protected] which is a user logged into the AWS account to create the VPC in that AWS account.

Tags:

2

Answers


  1. 0

    Take a look at Actions, resources, and condition keys for Amazon EC2 – Service Authorization Reference.

    It provides a list of all EC2-related API calls and the Conditions that they accept:

    The Condition keys column of the Actions table includes keys that you can specify in a policy statement’s Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

    Some API calls take very few Conditions. For example, CreateTransitGateway only allows Conditions for Tags and Region.

    It is not possible to write a policy that restricts an API call by a Condition that it does not use. Most of the API calls you list do not accept ARNs.

    Instead, you can use ARNs when specifying Resources:

    The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources (*) to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action.

    Therefore, you might have better luck specifying a NotResource.

    Login or Signup to reply.
  2. 0

    Your condition is close but not quite there.

    The format for getting an arn from an SSO permission set is as follows:

    "AWSReservedSSO_permission-set-name_unique-suffix" becomes "arn:aws:iam::account-id:role/aws-reserved/sso.amazonaws.com/region/AWSReservedSSO_permission-set-name_unique-suffix"

    So the condition to exclude a role arn from a SCP policy will look something like this:

    "Condition": {
  "ArnNotLike": {
    "aws:PrincipalARN": [
    "arn:aws:iam::<account-id>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess*"
  ]
}

    Three notes:

    • Every user in the AWSReservedSSO_AWSAdministratorAccess group will be included in this exclusion.
    • The region may or not be necessary. In my experience, it was not. Try with both.
    • You can also use a wildcard in place of specific account id and region (if included)

    More info on this can be found Referencing permission sets in resource policies and How to implement a read-only service control policy (SCP)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search