We'll go through all the available access-types for AWS request filtering.
Filtering on tags
Policies and permission sets can be filtered based on their tags in AWS. To do this, use the tag access-type. The key is the tag key, and the pattern matches on the tag value.
To filter on IAM group requests, we can use the group access-type. There is a single available key, name, which refers to the name of the IAM group.
Rule structure:
Allow requesting any IAM groups except for "Admin" :
Filtering on permission sets
To filter on Identity Center permission set requests, we can use the permission-set access-type. There are two available keys, name (the name of the permission set) and arn (the ARN of the permission set).
' Rule structure:
Allow requesting only permission sets with "project-1" in the name:
Filtering on policies
To filter on IAM policy requests, we can use the policy access-type. There is a single available key, arn, which refers to the ARN of the IAM policy.
Rule structure:
Allow requesting only AmazonS3 predefined policies
Filtering on resources
To filter on permission requests, we can use the resource access-type. There are 3 available keys:
name: This is the name of the resource.
service: This is the AWS service that the resource belongs to: for example, s3, or sagemaker. It will found in the resource ARN, after arn:aws:. For example, if the ARN is arn:aws:iam::391052057035:role/AmazonEKSNodeRole the service is iam.
arn: This is the ARN of the resource.
Rule structure:
Allow requesting only S3 resources
Allow requesting any resource except for IAM resources
Allow requesting any resource containing "project-1" in the name
Allow requesting only S3 buckets with names starting with "dev"
Allow requesting any resource except for the S3 bucket named "top-secret-bucket"
