- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- S3 Bucket GSL Rule with dynamic accountID alignmen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S3 Bucket GSL Rule with dynamic accountID alignment
Hello there,
I want to create a new rule in CloudGuard related to S3 Buckets. I want to check in my rule if a condition in a bucket policy is existing and if yes, the condition should contain aws:PrincipalArn BUT just with allowed AWS Account IDs. The aws:PrincipalArn attribute is basically defined in AWS with the following format:
- arn:aws:iam::<account-id>:role
Means the ARN contains always an account number. The first part of the ARN “arn:aws:iam::” and the last part “:role” are static. The “<account-id>” part is dynamic.
My plan is to align the account number with the existing account numbers by the custom resource "AccountIDs_AWS_CGAutoManagedList", which contains by default all accountIDs by the accounts which are onboarded to CloudGuard.
I am looking for a way to check this in my rule, means… if you are using a condition, ensure that the aws:PrincipalArn is an ARN by one of our cloud accounts. My fist intention was to use the GSL join() function like:
- should have policy.Statement with [ Condition.StringEquals contain-any [ aws:PrincipalArn contain-all [ join(‘arn:aws:iam::’, in($AccountIDs_AWS_CGAutoManagedList), ‘:role’ ] ] ]
But this didn’t work. Maybe someone made already experience with this and could support me solving my issue or have any ideas.
Thanks a lot in advance!
- Labels:
-
Custom Resources
-
GSL
-
Rule
-
S3
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 |
Tue 02 Apr 2024 @ 05:00 PM (CEST)
CloudGuard Under the Hood: VMware NSX-T East-West SecurityTue 02 Apr 2024 @ 05:00 PM (CEST)
CloudGuard Under the Hood: VMware NSX-T East-West Security