AWS Filtering
We'll go through all the available access-types for AWS request filtering.
Filtering on tags
Policies and permission sets can be filtered based on their tags in AWS. To do this, use the tag access-type. The key is the tag key, and the pattern matches on the tag value.
Rule structure:
resource:
type: integration
service: aws
filters:
tag:
effect: keep|remove|removeAll
key: <tag key>
pattern: <regex pattern>Allow requesting only policies and permission sets with the tag "environment" set to "dev" :
resource:
type: integration
service: aws
filters:
tag:
effect: keep
key: environment
pattern: ^dev$.Filtering on IAM groups
To filter on IAM group requests, we can use the group access-type. There is a single available key, name, which refers to the name of the IAM group.
Rule structure:
resource:
type: integration
service: aws
filters:
group:
effect: keep|remove|removeAll
key: name
pattern: <regex pattern>Allow requesting any IAM groups except for "Admin" :
resource:
type: integration
service: aws
filters:
group:
effect: keep
key: name
pattern: ^Admin$.Filtering on permission sets
To filter on Identity Center permission set requests, we can use the permission-set access-type. There are two available keys, name (the name of the permission set) and arn (the ARN of the permission set).
' Rule structure:
resource:
type: integration
service: aws
filters:
permission-set:
effect: keep|remove|removeAll
key: name | arn
pattern: <regex pattern>Allow requesting only permission sets with "project-1" in the name:
resource:
type: integration
service: aws
filters:
permission-set:
effect: keep
key: name
pattern: project-1Filtering on policies
To filter on IAM policy requests, we can use the policy access-type. There is a single available key, arn, which refers to the ARN of the IAM policy.
Rule structure:
resource:
type: integration
service: aws
filters:
policy:
effect: keep|remove|removeAll
key: arn
pattern: <regex pattern>Allow requesting only AmazonS3 predefined policies
resource:
type: integration
service: aws
filters:
policy:
effect: keep
key: arn
pattern: ^arn:aws:iam::aws:policy/AmazonS3Filtering on resources
To filter on permission requests, we can use the resource access-type. There are 3 available keys:
name: This is the name of the resource.service: This is the AWS service that the resource belongs to: for example,s3, orsagemaker. It will found in the resource ARN, afterarn:aws:. For example, if the ARN isarn:aws:iam::391052057035:role/AmazonEKSNodeRolethe service isiam.arn: This is the ARN of the resource.
Rule structure:
resource:
type: integration
service: aws
filters:
resource:
effect: keep|remove|removeAll
key: name|service|arn
pattern: <regex pattern>Allow requesting only S3 resources
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: service
pattern: ^s3$Allow requesting any resource except for IAM resources
resource:
type: integration
service: aws
filters:
resource:
effect: remove
key: service
pattern: ^iam$Allow requesting any resource containing "project-1" in the name
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: name
pattern: project-1Allow requesting only S3 buckets with names starting with "dev"
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: arn
pattern: ^arn:aws:s3:::devAllow requesting any resource except for the S3 bucket named "top-secret-bucket"
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: arn
pattern: ^arn:aws:s3:::top-secret-bucket$Last updated