AWS Filtering

We'll go through all the available access-types for AWS request filtering.

Filtering on tags

Policies and permission sets can be filtered based on their tags in AWS. To do this, use the tag access-type. The key is the tag key, and the pattern matches on the tag value.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep|remove|removeAll
      key: <tag key>
      pattern: <regex pattern>

Allow requesting only policies and permission sets with the tag "environment" set to "dev" :

resource:
  type: integration
  service: aws
  filters:
    tag:
      effect: keep
      key: environment
      pattern: ^dev$.

Filtering on IAM groups

To filter on IAM group requests, we can use the group access-type. There is a single available key, name, which refers to the name of the IAM group.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep|remove|removeAll
      key: name
      pattern: <regex pattern>

Allow requesting any IAM groups except for "Admin" :

resource:
  type: integration
  service: aws
  filters:
    group:
      effect: keep
      key: name
      pattern: ^Admin$.

Filtering on permission sets

To filter on Identity Center permission set requests, we can use the permission-set access-type. There are two available keys, name (the name of the permission set) and arn (the ARN of the permission set).

' Rule structure:

resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep|remove|removeAll
      key: name | arn
      pattern: <regex pattern>

Allow requesting only permission sets with "project-1" in the name:

resource:
  type: integration
  service: aws
  filters:
    permission-set:
      effect: keep
      key: name
      pattern: project-1

Filtering on policies

To filter on IAM policy requests, we can use the policy access-type. There is a single available key, arn, which refers to the ARN of the IAM policy.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep|remove|removeAll
      key: arn
      pattern: <regex pattern>

Allow requesting only AmazonS3 predefined policies

resource:
  type: integration
  service: aws
  filters:
    policy:
      effect: keep
      key: arn
      pattern: ^arn:aws:iam::aws:policy/AmazonS3

Filtering on resources

To filter on permission requests, we can use the resource access-type. There are 3 available keys:

name: This is the name of the resource.
service: This is the AWS service that the resource belongs to: for example, s3, or sagemaker. It will found in the resource ARN, after arn:aws:. For example, if the ARN is arn:aws:iam::391052057035:role/AmazonEKSNodeRole the service is iam.
arn: This is the ARN of the resource.

Rule structure:

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep|remove|removeAll
      key: name|service|arn
      pattern: <regex pattern>

Allow requesting only S3 resources

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: service
      pattern: ^s3$

Allow requesting any resource except for IAM resources

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: remove
      key: service
      pattern: ^iam$

Allow requesting any resource containing "project-1" in the name

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: name
      pattern: project-1

Allow requesting only S3 buckets with names starting with "dev"

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::dev

Allow requesting any resource except for the S3 bucket named "top-secret-bucket"

resource:
  type: integration
  service: aws
  filters:
    resource:
      effect: keep
      key: arn
      pattern: ^arn:aws:s3:::top-secret-bucket$

PreviousGoogle Cloud Filtering NextRunning an IAM Assessment

Last updated 4 months ago