WKLD.02 Restrict credential usage scope with resource-based policies
Policies define permissions or specify access conditions for AWS resources. There are two primary types of policies:
-
Identity-based policies are attached to principals and define what the principal's permissions are in the AWS environment.
-
Resource-based policies are attached to a resource, such as an Amazon Simple Storage Service (Amazon S3) bucket, or virtual private cloud (VPC) endpoint. These policies specify which principals are allowed access, supported actions, and any other conditions that must be met.
For a principal to access a resource, the principal must have permission in its identity-based policy and meet the conditions of the resource-based policy. For more information, see Identity-based policies and resource-based policies in the IAM documentation.
The following conditions help restrict access to trusted sources and reduce the risk of unintended access:
-
Restrict access to principals in a specified organization (defined in AWS Organizations) by using the
aws:PrincipalOrgIDcondition. -
Restrict access to traffic that originates from a specific VPC or VPC endpoint by using the
aws:SourceVpcoraws:SourceVpcecondition, respectively. -
Allow or deny traffic based on the source IP address by using an
aws:SourceIpcondition.
The following example shows a resource-based policy that uses the
aws:PrincipalOrgID condition to allow only principals in your organization to
access an Amazon S3 bucket. Replace o-xxxxxxxxxxx with your organization ID and
bucket-name with your bucket name:
{ "Version": "2012-10-17", "Statement":[ { "Sid":"AllowFromOrganization", "Effect":"Allow", "Principal":"*", "Action":"s3:*", "Resource":"arn:aws:s3:::bucket-name/*", "Condition": { "StringEquals": {"aws:PrincipalOrgID":"<o-xxxxxxxxxxx>"} } } ] }
