Open in app

Sign in

Write

Sign in

AWS Global Condition Context Keys

Cloud Journey
3 min readMay 5, 2022

Overview

We will explore SCP(service control policy) and aws:ResourceOrgID.

We will also demonstrate two examples and understand how it eliminates the access to unauthorized resources.

Secret Manager Example

(credit to https://www.youtube.com/watch?v=951E8zA3Lxc, screenshots from the video)

This example demonstrate to ensure principal in your AWS organization can not upload data to AWS secrets manager secrets outside your organization.

Secret Manager Resource Policy

This policy shows that it allows access from application_role in another account.

application_role IAM identity policy

Validation

You are able to write secret to a secret manager outside your organization.

Service Control Policy at AWS Organizations

(This policy does not grant access, but it defines the perimeter of the maximum access)

Note: you may use variable to replace the hard code value in line 11.

Meanwhile by default AWS managed policy “FullAWSAccess” is attached to the organization and it is the allow list which defines what permission can be granted in the organization.

SCP in action

Now SCP blocked the access to a secret manager which is outside of the organization.

SNS Topic Example

(credit to https://www.youtube.com/watch?v=951E8zA3Lxc, screenshots from the video)

This example demonstrate to ensure that your networks can only be used to access Amazon SNS topics that belong to your organization.

SNS Topic Access Policy

Here shows the policy is effective, and allows to publish message to SNS topic in other account:

Custom policy for SNS topic VPC endpoint

  • Same as SCP, it does not grant access, but define the boundary which is maximum access allowed)
  • Recommend to hard code ResourceOrgID value or add PrincipalOrgID condition.
  • Add condition to only allow access resource in same organization

VPC endpoint policy in action

Conclusion

ResourceOrgID condition context key can be used in identity based policy, service control policy and VPC endpoint policy. It ensures to access resources which only belong to your organization.

To limit the inbound access to your resources from your private network, vpc endpoint can help.

You may also use principal condition to control what account, OU or organization are allowed to access your resources. (aws:PrincipalOrgID)

References

How to control access to AWS resources based on AWS account, OU, or organization | AWS Security Blog (amazon.com)

https://aws.amazon.com/blogs/security/iam-share-aws-resources-groups-aws-accounts-aws-organizations/

AWS global condition context keys

When a principal makes a request to AWS, AWS gathers the request information into a request context. You can use the…

docs.aws.amazon.com

Note:
Some AWS services require access to AWS-owned resources that are hosted in another AWS account. Using aws:ResourceOrgID in your identity-based policies might impact your identity's ability to access these resources.

AWS
Security
Cloud Computing

--

--

Cloud Journey

Written by Cloud Journey

140 Followers

All blogs are strictly personal and do not reflect the views of my employer. https://github.com/Ronnie-personal

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams