S3 Bucket GSL Rule with dynamic accountID alignment
I want to create a new rule in CloudGuard related to S3 Buckets. I want to check in my rule if a condition in a bucket policy is existing and if yes, the condition should contain aws:PrincipalArn BUT just with allowed AWS Account IDs. The aws:PrincipalArn attribute is basically defined in AWS with the following format:
Means the ARN contains always an account number. The first part of the ARN “arn:aws:iam::” and the last part “:role” are static. The “<account-id>” part is dynamic.
My plan is to align the account number with the existing account numbers by the custom resource "AccountIDs_AWS_CGAutoManagedList", which contains by default all accountIDs by the accounts which are onboarded to CloudGuard.
I am looking for a way to check this in my rule, means… if you are using a condition, ensure that the aws:PrincipalArn is an ARN by one of our cloud accounts. My fist intention was to use the GSL join() function like:
- should have policy.Statement with [ Condition.StringEquals contain-any [ aws:PrincipalArn contain-all [ join(‘arn:aws:iam::’, in($AccountIDs_AWS_CGAutoManagedList), ‘:role’ ] ] ]
But this didn’t work. Maybe someone made already experience with this and could support me solving my issue or have any ideas.
Thanks a lot in advance!