Feature #61671
openSupport s3:ResourceAccount in IAM policies
0%
Description
As described [here](https://aws.amazon.com/blogs/storage/limit-access-to-amazon-s3-buckets-owned-by-specific-aws-accounts/) I'd like to use this Condition in IAM policies to limit the scope of permissions I grant to users using a particular role
example
{
"RoleId": "e39d78ec-435c-4971-bd16-23d31280af05",
"RoleName": "foo-test-admin",
"Path": "/",
"Arn": "arn:aws:iam:::role/foo-test-admin",
"CreateDate": "2023-06-14T07:52:44.614Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam:::user/foo-test"},"Action":["sts:AssumeRole"]}]}",
"PermissionPolicies": [
{
"PolicyName": "policy-foo-test-admin",
"PolicyValue": "{"Version":"2012-10-17",
"Statement":[
{"Effect":"Allow",
"Action":["s3:CreateBucket","s3:DeleteBucket","s3:DeleteObject",
"Resource":["arn:aws:s3:::*"],
"Condition":{
"IpAddress":{"aws:SourceIp":["127.0.0.1/32"]},
"StringEquals":{"s3:ResourceAccount":["foo-test"]}}}]}"
}
]
}
When I grant access to a user to this particular role, the user has access to objects belonging to any user in the cluster. I'd not like to limit the Resources since they are dynamic (people creates/removes buckets and objects all the time) so using s3:ResourceAccount looks to me like the perfect solution to this problem
No data to display