You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
type: value
key: Principal.AWS
value_regex: '.(\d{12}).'
op: ni
value_from:
url: "s3://<<>>/accounts.json"
expr: "accounts[].account_id"
format: "json"`
Now the requirement is, we will check for the account id in our internal accounts.json file and validate if the account id valid or not. If the account id is not our internal account id, we have to report it.
The above policy works fine if there is no external account id in the bucket policy but if I give one external account id to this bucket policy, it doesn't detect that.
Now the bold and highlighted iam role is unwanted account id which custodian is unable to report and giving this bucket policy as compliant, which actually not. If we don't give the bold account id, custodian also says the bucket is compliant which is true.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I want to highlight one issue with cross account access.
I am currently working on a solution which will give the S3 bucket for an account which have cross account access policy appended as bucket policy.
I came across c7n solution for this and designed one policy as below
`policies:
resource: s3
filters:
whitelist_from:
url: "s3://<<>>/accounts.json"
expr: "accounts[].account_id"
format: "json"
key: BucketPolicy.Statement[]
attrs:
key: Principal.AWS
value_regex: '.(\d{12}).'
op: ni
value_from:
url: "s3://<<>>/accounts.json"
expr: "accounts[].account_id"
format: "json"`
Now the requirement is, we will check for the account id in our internal accounts.json file and validate if the account id valid or not. If the account id is not our internal account id, we have to report it.
The above policy works fine if there is no external account id in the bucket policy but if I give one external account id to this bucket policy, it doesn't detect that.
Below is my bucket policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCustodianAccount", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<valid_account>:root" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket>/*" }, { "Sid": "GrantCloudOfficeAndCyberDefenseReadAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<valid_account>:root", **"arn:aws:iam::730335246023:root",** "arn:aws:iam::<valid_account>:root", "arn:aws:iam::<valid_account>:root" ] }, "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<bucket>/*", "arn:aws:s3:::<bucket>" ] }, { "Sid": "AllowSSLOnly", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::<bucket>/*", "arn:aws:s3:::<bucket>" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }
Now the bold and highlighted iam role is unwanted account id which custodian is unable to report and giving this bucket policy as compliant, which actually not. If we don't give the bold account id, custodian also says the bucket is compliant which is true.
Is there any mistake that I am doing?
Beta Was this translation helpful? Give feedback.
All reactions