AWS CloudFormation template: using conditions to scope

1
votes

I am attempting to use conditions to scope a resource in a CloudFormation template but am having no luck. I attempted to use "Deny: NotPrincipal" as shown below but that action is not allowed due to an error "Policy document should not specify a principal". Any suggestions on how to scope ec2:CopyImage to only a specific role would be greatly appreciated. Thank you

        {
          "Sid": "DenyCopyAMI",
          "Effect": "Deny",
          "NotPrincipal": {
            "AWS": [
              "arn:aws:sts::*:assumed-role/EngineeringRole/*",
              "arn:aws:sts::*:assumed-role/PlatformRole/*",
              "arn:aws:iam::*:role/EngineeringRole/*",
              "arn:aws:iam::*:role/PlatformRole/*"
            ]
          },
1
amazon-web-servicesconditional-statementsamazon-cloudformation

1 Answers

0
votes

Here is an article from AWS on restricting access to a role.

use iam get-role to find the RoleId and add it to the policy condition under aws:userId

aws iam get-role --role-name Test-Role

IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ec2:CopyImage",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJPXXXXXJE5XOMQARS:*",
                        "AROAJXXXXXXV3EZVH2W5A:*",
                        "AROAJXXXXXXBH4XK552KI:*"
                    ]
                }
            }
        }
    ]
}