This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mrcx
Explorer
‎2022-02-09 05:06 AM

S3 Bucket GSL Rule with dynamic accountID alignment

Hello there,

I want to create a new rule in CloudGuard related to S3 Buckets. I want to check in my rule if a condition in a bucket policy is existing and if yes, the condition should contain aws:PrincipalArn BUT just with allowed AWS Account IDs. The aws:PrincipalArn attribute is basically defined in AWS with the following format:

 

  • arn:aws:iam::<account-id>:role

 

Means the ARN contains always an account number. The first part of the ARN “arn:aws:iam::” and the last part “:role” are static. The “<account-id>” part is dynamic.

My plan is to align the account number with the existing account numbers by the custom resource "AccountIDs_AWS_CGAutoManagedList", which contains by default all accountIDs by the accounts which are onboarded to CloudGuard. 

 

I am looking for a way to check this in my rule, means… if you are using a condition, ensure that the aws:PrincipalArn is an ARN by one of our cloud accounts. My fist intention was to use the GSL join() function like:

 

  • should have policy.Statement with [ Condition.StringEquals contain-any [ aws:PrincipalArn contain-all [ join(‘arn:aws:iam::’, in($AccountIDs_AWS_CGAutoManagedList), ‘:role’ ] ] ]

 

But this didn’t work. Maybe someone made already experience with this and could support me solving my issue or have any ideas.

 

Thanks a lot in advance!

Labels
0 Kudos
5 Replies
_Val_
Admin
Admin
‎2022-02-12 06:15 AM

@Shay_Levin can you please assist?

0 Kudos
NirAz
Employee Alumnus
Employee Alumnus
‎2022-02-13 04:00 AM

Hi,

The auto-managed lists support an exact match. Therefore, in order to solve the issue, you will need to create a list containing the ARN to compare to.

 

Thanks,

Nir Azriel

0 Kudos
mrcx
Explorer
‎2022-02-15 06:29 AM
In response to NirAz

Hi Nir,

thanks a lot is there any possibility to use this list as it is and combine it with a function (e.g. join() or something) to an ARN within in the rule ?

0 Kudos
mrcx
Explorer
‎2022-02-15 06:31 AM
In response to NirAz

Or maybe to us this list with a wildcard search within the rule? Actually I just want to check if the account number is valid 

0 Kudos
NirAz
Employee Alumnus
Employee Alumnus
‎2022-02-16 10:55 PM
In response to mrcx

Hi,

This functionality is not supported currently.

 

Thanks,

Nir

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    Virtual

    Thu 03 Apr 2025 @ 10:00 AM (CEST)

    CheckMates Live BeLux: Cloudguard WAF
    Virtual

    Thu 03 Apr 2025 @ 10:00 AM (CEST)

    CheckMates Live BeLux: Cloudguard WAF
    All CloudMates Events
    Top