ABAC for list or read resources.

Question

Hi, In my organization we are using  SAML-based identity provider (IdP) to manage corporate user identities, in a way that these users take on a federated role.
We are trying to apply ABAC for these roles, so that roles only have permissions to resources with the same label as the role.
However, I am having problem with some permissions, for example, I have noticed that I cannot apply ABAC  for only list certain EC2 instances or  S3 bucket.

```
{
    "Effect": "Allow",
    "Action": [
      "s3:DeleteObject",
      "s3:Get*",
      "s3:List*",
      "s3:PutObject"
    ],
    "Resource": "*",
    "Condition": {
      "StringEquals": {
        "aws:ResourceTag/Example": "${aws:PrincipalTag/Example}"
      }
    }
}
```
For example with the above policy, even if I just include "s3:*", I get the following message through the console.

![Error listing resources ](/media/postImages/original/IMIOvXNNXEQjacaw0Pa8fFPA)

S3 is only example, but I have the same problem for the rest of services, EC2, RDS.... Even through aws cli, I cannot list any resources.

When, I attach the predefined AWS "ReadOnlyAccess" policy in addition to the other policy. I am able to list all the resources, but I no longer have the expected granularity, so I guess there are policies that don't work with ABAC like s3:ListAllMyBuckets  but they are not very clear at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

Am I right? Or is there any way to apply ABAC for reading with this granularity ?

For other actions such as Starting and Stopping EC2 instances, it works fine.

Accepted Answer

ListAllMyBuckets will not be effective via resource based policy, it should rather be granted via Identity Access Management role/user/policy. Bucket policy is resource based policy and it would be effective for actions which are specific to that bucket objects only, not the bucket or buckets in itself. Even if you include s3:*, ListAllMyBuckets would still be ineffective if not granted via IAM role/policy.

Please refer this [comparison document](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) and [s3 action support for ABAC](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) for better understanding.

Since you already listed this [documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html), which gives list of services, that support ABAC/Resource based policy etc.

Hope you find this useful.

Abhishek

Answer

Each action only supports certain conditions, and ABAC is a condition that is not supported by ListAllMyBuckets.

More information: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

ABAC for list or read resources.

관련 콘텐츠