This topic contains 0 replies, has 1 voice, and was last updated by touseef ahmad touseef ahmad 1 year, 10 months ago.

Viewing 1 post (of 1 total)
  • Author
  • #100034364
    touseef ahmad
    touseef ahmad

    AWS Identity and Access Management (IAM) now makes it easier for you to control access to your AWS resources by using the AWS organization of IAM principals (users and roles). For some services, you grant permissions using resource-based policies to specify the accounts and principals that can access the resource and what actions they can perform on it. Now, you can use a new condition key, aws:PrincipalOrgID, in these policies to require all principals accessing the resource to be from an account in the organization. For example, let’s say you have an Amazon S3 bucket policy and you want to restrict access to only principals from AWS accounts inside of your organization. To accomplish this, you can define the aws:PrincipalOrgID condition and set the value to your organization ID in the bucket policy. Your organization ID is what sets the access control on the S3 bucket. Additionally, when you use this condition, policy permissions apply when you add new accounts to this organization without requiring an update to the policy.
    In this post, I walk through the details of the new condition and show you how to restrict access to only principals in your organization using S3.
    Condition concepts
    Before I introduce the new condition, let’s review the condition element of an IAM policy. A condition is an optional IAM policy element you can use to specify special circumstances under which the policy grants or denies permission. A condition includes a condition key, operator, and value for the condition. There are two types of conditions: service-specific conditions and global conditions. Service-specific conditions are specific to certain actions in an AWS service. For example, the condition key ec2:InstanceType supports specific EC2 actions. Global conditions support all actions across all AWS services.
    Now that I’ve reviewed the condition element in an IAM policy, let me introduce the new condition.
    AWS:PrincipalOrgID Condition Key
    You can use this condition key to apply a filter to the Principal element of a resource-based policy. You can use any string operator, such as StringLike, with this condition and specify the AWS organization ID for as its value.
    Condition key Description Operator(s) Value
    aws:PrincipalOrgID Validates if the principal accessing the resource belongs to an account in your organization. All String operators Any AWS organization ID
    Example: Restrict access to only principals from my organization
    Let’s consider an example where I want to give specific IAM principals in my organization direct access to my S3 bucket, 2018-Financial-Data, that contains sensitive financial information. I have two accounts in my AWS organization with multiple account IDs, and only some IAM users from these accounts need access to this financial report.
    To grant this access, I author a resource-based policy for my S3 bucket as shown below. In this policy, I list the individuals who I want to grant access. For the sake of this example, let’s say that while doing so, I accidentally specify an incorrect account ID. This means a user named Steve, who is not in an account in my organization, can now access my financial report. To require the principal account to be in my organization, I add a condition to my policy using the global condition key aws:PrincipalOrgID. This condition requires that only principals from accounts in my organization can access the S3 bucket. This means that although Steve is one of the principals in the policy, he can’t access the financial report because the account that he is a member of doesn’t belong to my organization.

    “Version”: “2012-10-17”,
    “Statement”: [
    “Sid”: “AllowGetObject”,
    “Effect”: “Allow”,
    “Principal”: {
    “Action”: “s3:GetObject”,
    “Resource”: “arn:aws:s3:::2018-Financial-Data/*”,
    “Condition”: {“StringEquals”:
    {“aws:PrincipalOrgID”: [ “o-yyyyyyyyyy” ]}

    In the policy above, I specify the principals that I grant access to using the principal element of the statement. Next, I add s3:GetObject as the action and 2018-Financial-Data/*as the resource to grant read access to my S3 bucket. Finally, I add the new condition key aws:PrincipalOrgID and specify my organization ID in the condition element of the statement to make sure only the principals from the accounts in my organization can access this bucket.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2020 AWSCC a premium and multipurpose community by R-Access Communications of VA - 2020


We're not around right now. But you can send us an email and we'll get back to you, asap.


Log in with your credentials


Forgot your details?

Create Account