Tuesday, June 23, 2020

AWS Policy Conditions

AWS Policy Conditions
References:


Multiple Conditions

Multiple conditions are logical AND
When you are comparing a single KEY to multiple VALUES, then it is logical OR

These two below conditions have similar result:
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml",
          "aws:RequestTag/department": [
            "HR",
            "IT"
          ]
        }
      }



      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        },
        "StringLike": {
          "aws:RequestTag/department": [
            "HR",
            "IT"
          ]
        }
      }

The reason you can't split the first example into two "StringEquals" is because JSON won't permit you to have two identical Keys at the same level. But they would both read as first condition AND second condition where second condition checks if aws:RequestTag/department is HR OR IT.


ForAllValues vs ForAnyValues qualifier 

ForAll works like logical AND to each item in the keys being compared to the keys being compared against. 

"Condition": {
    "ForAllValues:StringEquals": {
        "dynamodb:Attributes": [
            "ID",
            "Message",
            "Tags"
        ]
    }
}

This reads as for all values within dynamodb:Attributes (this is the key being requested in the action) match against this list (we'll call it List B)

Assume the content of dynamdb:Attributes is as follows: [ID,Message,Tags,UserName]. 
So the checks would be
  1. Is there ID in List B : Yes
  2. Is there Message in List B: Yes
  3. Is there Tags in List B: Yes
  4. Is there UserName in List B: No
Because of the 4th check, this returns False.

Assume the content of dynamdb:Attributes is as follows: [ID,Tags]. 
So the checks would be
  1. Is there ID in List B : Yes
  2. Is there Tags in List B: Yes
Because they both return Yes, this returns True.

If dynamdb:Attributes is empty, this also returns True.

Whereas ForAny works like logical OR. Sometimes, this may end with same result.

"Condition": {
    "ForAnyValues:StringEquals": {
        "dynamodb:Attributes": [
            "ID",
            "Message",
            "Tags"
        ]
    }
}

This reads as for any values within dynamodb:Attributes (this is the key being requested in the action) match against this list (we'll call it List B)

Assume the content of dynamdb:Attributes is as follows: [ID,Message,Tags,UserName]. 
So the checks would be
  1. Is there ID in List B : Yes
Because it matches at least one, this returns True.

Assume the content of dynamdb:Attributes is as follows: [ID,Tags]. 
So the checks would be
  1. Is there ID in List B : Yes
Again, at least one is Yes, this returns True.

Assume the content of dynamdb:Attributes is as follows: [UserName,DateStamp]. 

  1. Is there UserName in List B: No
  2. Is there DateStamp in List B: No
Because it could not find any matching items, this returns False.

Although, in this case if dynamdb:Attributes is empty, this will return False.





















at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS WAF log4j query

How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...

  • AWS WAF log4j query
    How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...
  • Terraform Errors
    Terraform Notes Terraform Errors The given key does not identify an element in this collection value. Error: Invalid index on main...
  • AWS Policy Conditions
    AWS Policy Conditions References: Condition Policy Element Condition with Multiple Keys or Values Multiple Conditions Multiple conditions ar...