DEVHIDE
Login Or Sign up

When is `aws:PrincipalAccount` or `kms:CallerAccount` needed?

114 Views Asked by At

What is the difference between the following two permission statements, assuming that they are used in resource-based permission policies in AWS?

1:

{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*",
  "Principal": {"AWS: "123456789012"}
}

2:

{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*",
  "Principal": {"AWS: "*"},
  "Condition: {
    "StringEquals": {
      "aws:PrincipalAccount": "123456789012" # or "kms:CallerAccount"
    }
  }
}

The documentation for aws:PrincipalAccount doesn't have much to say. The documentation for kms:CallerAccount says that

The syntax for the Principal element does not provide a way to specify all identities in an AWS account.

However, I haven't been able to figure out what identities cannot be specified by the Principal constraint.

amazon-web-services amazon-iam amazon-kms
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-IAM

Related Questions in AMAZON-KMS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.