IAM "account identifier" (":root" suffix) principal in S3 / KMS resource policy is not granting access

0

My best understanding of the "arn:aws:iam::[account-id]:root" principal is that it refers to all IAM users and roles in that account. Although I have found some confusing explanations of it, this one from the IAM course in AWS Skill Builder had a clear description:

"When you use an AWS account identifier as the principal in a policy, you delegate authority to the account. Within that account, the permissions in the policy statement can be granted to all identities, including IAM users and roles in that account. "

So I wanted to put that to the test by creating the following S3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[my-account-id]:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[bucket-name]/*",
                "arn:aws:s3:::[bucket-name]"
            ]
        }
    ]
}

My expectation was: any user (or assumed role) that is present in my account can list objects in this bucket without an explicit identity policy. Reality: access denied.

Everything is happening in a single account (no cross-account activity)

My confusion is compounded by the fact that the S3 example bucket policies use this format as well (https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) and that the KMS default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam) also uses the ":root" principal for encryption/decryption access but that it also refused me access.

How is this "account identifier" / "account principal" supposed to work? Am I completely misinterpreting the explanation I quoted above?

asked 9 months ago2741 views
2 Answers
0

Hello.

Even if I grant permission to "arn:aws:iam::[my-account-id]:root" in the S3 bucket policy, IAM users are not allowed.
When granting permission to an IAM user, you need to specify the IAM user's ARN like "arn:aws:iam::AWS-account-ID:user/user-name".
"arn:aws:iam::[my-account-id]:root" allows access to "[my-account-id]", but if permission is not set in the IAM policy Unable to access S3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html#access_policies-cross-account-delegating-resource-based-policies

Please read this document.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts

When you allow access to a different account, an administrator in that account must then grant access to an identity (IAM user or role) in that account.

profile picture
EXPERT
answered 9 months ago
  • Thanks for your reply. I have seen both those documents and they are a big source of my confusion because they describe the purpose of ":root" differently.

    You're right that specifying a ":user/username" ARN or giving a user an identity policy makes it work but in both cases the ":root" ARN is simply ignored.

    Is this account principal only useful then in cross-account situations? But if so, why is the KMS default key policy like it is if it doesn't do anything for your own account?

  • "arn:aws:iam::[my-account-id]:root" cannot access S3 even if it is between accounts unless there is a permission action in the IAM policy. The KMS key is described in the documentation, but without "arn:aws:iam::[my-account-id]:root" you will have to rely solely on IAM policy operations. In other words, if there are no IAM policies that can be operated, access rights to KMS will be lost, so I think they are making it possible for even root users to operate.
    https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam

    Unlike other AWS resource policies, an AWS KMS key policy does not automatically give permission to the account or any of its principals. To give permission to any principal, including the account principal, you must use a key policy statement that provides the permission explicitly. You are not required to give the account principal, or any principal, access to the KMS key. However, giving access to the account principal helps you prevent the key from becoming unmanageable.

0

Your policy looks good to me.

Try to use the Policy Simulator (https://policysim.aws.amazon.com/home/index.jsp)

It can show you which policy is deying you access.

AWS
answered 9 months ago
  • Thanks. According to the simulator there are no matching statements when I try a ListBucket on the bucket.

    Is there a way to query which users would match the ":root" principal?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions