AWS Global Condition Context Keys

Overview

Secret Manager Example

(credit to https://www.youtube.com/watch?v=951E8zA3Lxc, screenshots from the video)

SNS Topic Example

(credit to https://www.youtube.com/watch?v=951E8zA3Lxc, screenshots from the video)

  • Same as SCP, it does not grant access, but define the boundary which is maximum access allowed)
  • Recommend to hard code ResourceOrgID value or add PrincipalOrgID condition.
  • Add condition to only allow access resource in same organization

Conclusion

ResourceOrgID condition context key can be used in identity based policy, service control policy and VPC endpoint policy. It ensures to access resources which only belong to your organization.

References

How to control access to AWS resources based on AWS account, OU, or organization | AWS Security Blog (amazon.com)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and API security.