WKLD.02 – Restrict credential usage scope with resource-based policies permissions - AWS Prescriptive Guidance

WKLD.02 – Restrict credential usage scope with resource-based policies permissions

Policies are objects that can define permissions or specify access conditions. There are two primary types of policies:

  • Identity-based policies are attached to principals and define what the principal’s permissions in the AWS environment.

  • Resource-based policies are attached to a resource, such as an Amazon Simple Storage Service (Amazon S3) bucket, or virtual private cloud (VPC) endpoint. These policies specify which principals are allowed access, supported actions, and any other conditions that must be met.

For a principal to be allowed access to perform an action against a resource, it must have permission granted in its identity-based policy and meet the conditions of the resource-based policy. For more information, see Identity-based policies and resource-based policies (IAM documentation).

Recommended conditions for resource-based policies include:

  • Restrict access to only principals in a specified organization (defined in AWS Organizations) by using the aws:PrincipalOrgID condition.

  • Restrict access to traffic that originates from a specific VPC or VPC endpoint by using the aws:SourceVpc or aws:SourceVpce condition, respectively.

  • Allow or deny traffic based on the source IP address by using an aws:SourceIp condition.

The following is an example of a resource-based policy that uses the aws:PrincipalOrgID condition to allow only principals in the <o-xxxxxxxxxxx> organization to access the <bucket-name> S3 bucket:

{
   "Version":"2012-10-17",
   "Statement":[
     {
       "Sid":"AllowFromOrganization",
       "Effect":"Allow",
       "Principal":"*",
       "Action":"s3:*",
       "Resource":"arn:aws:s3:::<bucket-name>/*",
       "Condition": {
         "StringEquals": {"aws:PrincipalOrgID":"<o-xxxxxxxxxxx>"}
       }
     }
   ]
}