DEVHIDE
Login Or Sign up

AWS Account delegation does not work when account identifier is specified as NotPrincipal in a Deny statement

64 Views Asked by At

I asked a very similar question here. I thought to add more clarity in this question.

As per AWS documentation,

NotPrincipal With Deny
When you use NotPrincipal in the same policy statement as "Effect": "Deny", the actions specified in the policy statement are explicitly denied to all principals except for the ones specified.

and

When you use an AWS account identifier as the principal in a policy, you delegate authority to the account.

Delegation to an Account works when the Account (Root) ARN is included in the Principal element of an Allow statement.
On the contrary, Delegation to an Account does not work when the Account (Root) ARN is included in the NotPrincipal element of a Deny statement.

Which leads me to think - A Deny can never delegate to an Account even by excluding the Account root in NotPrincipal i.e. you still need to specify explicitly the individual IAM users in the NotPrincipal element of policy to be excluded from Deny. This behavior is very different to an Allow where only the Account (Root) needs to be specified for further delegation - no need to specify explicitly which IAM users should be included as part of Allow.

Question: Does delegation of authority to the account apply only in an Allow statement ? i.e. Is it correct to assume that the delegation of authority to the account does not apply in a Deny statement even if the account is excluded via NotPrincipal element?

Scenario 1: Allow delegates with just the Account (Root) ARN

Bucket Policy below will let Account decide via its IAM policies which IAM users in the Account can access the bucket - delegation works.

 "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::1234567890:root"
                },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::abhiawsbucket-accessdemo",
            "arn:aws:s3:::abhiawsbucket-accessdemo/*"
        ]

Scenario 2: Deny does not delegate with just the Account (Root) ARN

Bucket Policy below will NOT let Account decide via its IAM policies which IAM users in the Account can access the bucket - delegation does NOT work. Specifying the Account (Root) ARN in NotPrincipal element does not delegate.

 "Effect": "Deny",
        "NotPrincipal": {
            "AWS": "arn:aws:iam::1234567890:root"
                },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::abhiawsbucket-accessdemo",
            "arn:aws:s3:::abhiawsbucket-accessdemo/*"
        ]

To summarize, I am trying to find out if the following statement is correct

Delegation to Account (Root) can be implemented via Principal and NotPrincipal elements but Delegation itself works / applies only with Effect:Allow. Delegation to Account (Root) does NOT work with Effect:Deny even when Account (Root) is excluded in NotPrincipal.

amazon-web-services amazon-s3 aws-policies
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AWS-POLICIES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.