IAM: addAccountCondition adds condition which is not AWS:SourceAccount #25732
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
documentation
This is a problem with documentation.
effort/medium
Medium work item – several days of effort
p2
Comments
mdavis-xyz
added
documentation
github-actions
bot
added
the
@aws-cdk/aws-iam
|
According to this doc, In your use case: client -> S3 bucket(owner:111111111111) -> SNS Topic(owner:222222222222) I believe you will need two conditions in your resource policy document:
And your CDK code probably should look like this: export class Demo2Stack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const stack = Stack.of(this);
const statement = new iam.PolicyStatement({
actions: ['sns:*'],
resources: ['*'],
principals: [ new iam.ServicePrincipal('s3.amazonaws.com') ],
});
statement.addConditions(
{
'ArnEquals': { 'aws:SourceArn': bucketArn },
'StringEquals': { 'aws:SourceAccount': '111111111111' },
}
);
const topic = new sns.Topic(this, 'Topic');
topic.addToResourcePolicy(statement)
};
};
And I agree we probably should add a |
pahud
added
effort/medium
mergify bot
pushed a commit
that referenced
this issue
May 26, 2023
…on (#25744) The [addAccountCondition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html#addwbraccountwbrconditionaccountid) method essentially create a `StringEquals` condition with `sts:ExternalId` which is used for [Cross-account confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#mitigate-confused-deputy). This PR adds `addSourceArnCondition` and `addSourceAccountCondition` methods used for [Cross-service confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention) and improves the doc on the methods. Closes #25732 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
The description for addAccountCondition says:
Based on this, I assumed that it would add
But it does not. It adds:
These are for very different use cases.
In general, any account can set any value for
"sts:ExternalId". An attacker who knows my account number could just set my account number as the ExternalId when assuming their own role, which would satisfy this constraint. So this condition doesn't actually relate to an account, just a passphrase.My use case is that I'm granting S3 permission to publish to my SNS topic, with a topic policy. But I don't want other accounts to publish to my topic. I want to restrict it with an account condition.
When AWS assumes a role (e.g. S3 publishing notifications to my SNS topic), it does not set the assume role passphrase to the account number. So this condition actually ends up blocking legitimate traffic from my account.
I feel like this function is misnamed.
I'm guessing that changing the behavior of this function from "sts:ExternalId" to "AWS:SourceAccount" is a backwards-incompatible change that will mess with other users.
So what I propose is that the documentation should just say that this doesn't actually add a source account condition. And it should say how you should add a source account condition.
Something like:
(I also think it would be nice to make the argument to
addAccountConditionandaddAwsAccountPrincipaloptional, defaulting to the current account. And to add another functionaddSourceAccountCondition, which uses"AWS:SourceAccount")Links
https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.PolicyStatement.html#addwbraccountwbrconditionaccountid
The text was updated successfully, but these errors were encountered: