Create a Post

S3 Bucket GSL Rule with dynamic accountID alignment

Hello there,

I want to create a new rule in CloudGuard related to S3 Buckets. I want to check in my rule if a condition in a bucket policy is existing and if yes, the condition should contain aws:PrincipalArn BUT just with allowed AWS Account IDs. The aws:PrincipalArn attribute is basically defined in AWS with the following format:


  • arn:aws:iam::<account-id>:role


Means the ARN contains always an account number. The first part of the ARN “arn:aws:iam::” and the last part “:role” are static. The “<account-id>” part is dynamic.

My plan is to align the account number with the existing account numbers by the custom resource "AccountIDs_AWS_CGAutoManagedList", which contains by default all accountIDs by the accounts which are onboarded to CloudGuard. 


I am looking for a way to check this in my rule, means… if you are using a condition, ensure that the aws:PrincipalArn is an ARN by one of our cloud accounts. My fist intention was to use the GSL join() function like:


  • should have policy.Statement with [ Condition.StringEquals contain-any [ aws:PrincipalArn contain-all [ join(‘arn:aws:iam::’, in($AccountIDs_AWS_CGAutoManagedList), ‘:role’ ] ] ]


But this didn’t work. Maybe someone made already experience with this and could support me solving my issue or have any ideas.


Thanks a lot in advance!

0 Kudos
5 Replies
This widget could not be displayed.