By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ABAC for list or read resources.

0

Hi, In my organization we are using SAML-based identity provider (IdP) to manage corporate user identities, in a way that these users take on a federated role. We are trying to apply ABAC for these roles, so that roles only have permissions to resources with the same label as the role. However, I am having problem with some permissions, for example, I have noticed that I cannot apply ABAC for only list certain EC2 instances or S3 bucket.

{
    "Effect": "Allow",
    "Action": [
      "s3:DeleteObject",
      "s3:Get*",
      "s3:List*",
      "s3:PutObject"
    ],
    "Resource": "*",
    "Condition": {
      "StringEquals": {
        "aws:ResourceTag/Example": "${aws:PrincipalTag/Example}"
      }
    }
}

For example with the above policy, even if I just include "s3:*", I get the following message through the console.

Error listing resources

S3 is only example, but I have the same problem for the rest of services, EC2, RDS.... Even through aws cli, I cannot list any resources.

When, I attach the predefined AWS "ReadOnlyAccess" policy in addition to the other policy. I am able to list all the resources, but I no longer have the expected granularity, so I guess there are policies that don't work with ABAC like s3:ListAllMyBuckets but they are not very clear at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

Am I right? Or is there any way to apply ABAC for reading with this granularity ?

For other actions such as Starting and Stopping EC2 instances, it works fine.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceIAM Policies
Language
English
diego-toro
asked 9 months ago305 views
2 Answers
4
Accepted Answer

ListAllMyBuckets will not be effective via resource based policy, it should rather be granted via Identity Access Management role/user/policy. Bucket policy is resource based policy and it would be effective for actions which are specific to that bucket objects only, not the bucket or buckets in itself. Even if you include s3:*, ListAllMyBuckets would still be ineffective if not granted via IAM role/policy.

Please refer this comparison document and s3 action support for ABAC for better understanding.

Since you already listed this documentation, which gives list of services, that support ABAC/Resource based policy etc.

Hope you find this useful.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 9 months ago
1

Each action only supports certain conditions, and ABAC is a condition that is not supported by ListAllMyBuckets.

More information: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

profile pictureAWS
Franke-AWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content