- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- Re: S3 Bucket GSL Rule with dynamic accountID alig...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S3 Bucket GSL Rule with dynamic accountID alignment
Hello there,
I want to create a new rule in CloudGuard related to S3 Buckets. I want to check in my rule if a condition in a bucket policy is existing and if yes, the condition should contain aws:PrincipalArn BUT just with allowed AWS Account IDs. The aws:PrincipalArn attribute is basically defined in AWS with the following format:
- arn:aws:iam::<account-id>:role
Means the ARN contains always an account number. The first part of the ARN “arn:aws:iam::” and the last part “:role” are static. The “<account-id>” part is dynamic.
My plan is to align the account number with the existing account numbers by the custom resource "AccountIDs_AWS_CGAutoManagedList", which contains by default all accountIDs by the accounts which are onboarded to CloudGuard.
I am looking for a way to check this in my rule, means… if you are using a condition, ensure that the aws:PrincipalArn is an ARN by one of our cloud accounts. My fist intention was to use the GSL join() function like:
- should have policy.Statement with [ Condition.StringEquals contain-any [ aws:PrincipalArn contain-all [ join(‘arn:aws:iam::’, in($AccountIDs_AWS_CGAutoManagedList), ‘:role’ ] ] ]
But this didn’t work. Maybe someone made already experience with this and could support me solving my issue or have any ideas.
Thanks a lot in advance!
- Labels:
-
Custom Resources
-
GSL
-
Rule
-
S3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Shay_Levin can you please assist?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The auto-managed lists support an exact match. Therefore, in order to solve the issue, you will need to create a list containing the ARN to compare to.
Thanks,
Nir Azriel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nir,
thanks a lot is there any possibility to use this list as it is and combine it with a function (e.g. join() or something) to an ARN within in the rule ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or maybe to us this list with a wildcard search within the rule? Actually I just want to check if the account number is valid
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This functionality is not supported currently.
Thanks,
Nir