Sunday, June 28, 2020

AWS ABAC

Configuring Policy for AWS Attribute Based Access Control

Below policies are based off of this AWS Tutorial.

Scenario 1: 
  • Allow Action if department tag on the resource does NOT exist.
  • Allow Action if department tag (if exists) matches between resource and principal. 
  • Deny adding or removing department tag unless it matches the principal's
Result:
  • The "aws:RequestTag" condition lets me edit a description of an item that was missing department tag.
  • The "aws:ResourceTag" condition (from empty tag set...)
    • ALLOW create then delete a new tag "DEPT" = "None"
    • ALLOW create then delete a new Tag dEPartment = "IT" (IT is also the principalTag/department) 
    • DENY creation of a new Tag department = "HR"


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllActionsSecretsManagerSameDepartment",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "*",
            "Condition": {
                "StringLikeIfExists": {
                    "aws:RequestTag/department": "${aws:PrincipalTag/department}",
                    "aws:ResourceTag/department": "${aws:PrincipalTag/department}"
                }
            }
        },
        {
            "Sid": "AllResourcesSecretsManagerNoTags",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        }
    ]
}

Scenario 2: 
  • Same rule as scenario 1
  • Only Allow HR department (or no department designation) to use secretsmanager 
Result:
  • Only the users whose principalTag/department  is "HR" may use department tag on a secretmanager resource and control it
We had to add lines 10-12 because we can't have same keys at the same level ("aws:RequestTag/department" was already being used on line 14).


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllActionsSecretsManagerSameDepartment",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "*",
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/department": "HR"
                },
                "StringLikeIfExists": {
                    "aws:RequestTag/department": "${aws:PrincipalTag/department}",
                    "aws:ResourceTag/department": "${aws:PrincipalTag/department}"
                }
            }
        },
        {
            "Sid": "AllResourcesSecretsManagerNoTags",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        }
    ]
}
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS WAF log4j query

How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...

  • AWS WAF log4j query
    How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...
  • Terraform Errors
    Terraform Notes Terraform Errors The given key does not identify an element in this collection value. Error: Invalid index on main...
  • AWS Custom Config Rule from Org
    Deploy AWS Config Rule from Org If you have AWS Org configured, you can deploy Config Rule from a single location out to all the accounts...