AWS Filtering
We'll go through all the available access-types for AWS request filtering.
Filtering on tags
Policies and permission sets can be filtered based on their tags in AWS. To do this, use the tag
access-type. The key is the tag key, and the pattern matches on the tag value.
Rule structure:
resource:
type: integration
service: aws
filters:
tag:
effect: keep|remove|removeAll
key: <tag key>
pattern: <regex pattern>
Allow requesting only policies and permission sets with the tag "environment" set to "dev" :
resource:
type: integration
service: aws
filters:
tag:
effect: keep
key: environment
pattern: ^dev$.
Filtering on IAM groups
To filter on IAM group requests, we can use the group
access-type. There is a single available key, name
, which refers to the name of the IAM group.
Rule structure:
resource:
type: integration
service: aws
filters:
group:
effect: keep|remove|removeAll
key: name
pattern: <regex pattern>
Allow requesting any IAM groups except for "Admin" :
resource:
type: integration
service: aws
filters:
group:
effect: keep
key: name
pattern: ^Admin$.
Filtering on permission sets
To filter on Identity Center permission set requests, we can use the permission-set
access-type. There are two available keys, name
(the name of the permission set) and arn
(the ARN of the permission set).
' Rule structure:
resource:
type: integration
service: aws
filters:
permission-set:
effect: keep|remove|removeAll
key: name | arn
pattern: <regex pattern>
Allow requesting only permission sets with "project-1" in the name:
resource:
type: integration
service: aws
filters:
permission-set:
effect: keep
key: name
pattern: project-1
Filtering on policies
To filter on IAM policy requests, we can use the policy
access-type. There is a single available key, arn
, which refers to the ARN of the IAM policy.
Rule structure:
resource:
type: integration
service: aws
filters:
policy:
effect: keep|remove|removeAll
key: arn
pattern: <regex pattern>
Allow requesting only AmazonS3 predefined policies
resource:
type: integration
service: aws
filters:
policy:
effect: keep
key: arn
pattern: ^arn:aws:iam::aws:policy/AmazonS3
Filtering on resources
To filter on permission requests, we can use the resource
access-type. There are 3 available keys:
name
: This is the name of the resource.service
: This is the AWS service that the resource belongs to: for example,s3
, orsagemaker
. It will found in the resource ARN, afterarn:aws:
. For example, if the ARN isarn:aws:iam::391052057035:role/AmazonEKSNodeRole
the service isiam
.arn
: This is the ARN of the resource.
Rule structure:
resource:
type: integration
service: aws
filters:
resource:
effect: keep|remove|removeAll
key: name|service|arn
pattern: <regex pattern>
Allow requesting only S3 resources
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: service
pattern: ^s3$
Allow requesting any resource except for IAM resources
resource:
type: integration
service: aws
filters:
resource:
effect: remove
key: service
pattern: ^iam$
Allow requesting any resource containing "project-1" in the name
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: name
pattern: project-1
Allow requesting only S3 buckets with names starting with "dev"
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: arn
pattern: ^arn:aws:s3:::dev
Allow requesting any resource except for the S3 bucket named "top-secret-bucket"
resource:
type: integration
service: aws
filters:
resource:
effect: keep
key: arn
pattern: ^arn:aws:s3:::top-secret-bucket$
Last updated