AWS Access Policy Cross-Account Access Controls

Overview

This guide describes how Turbot evaluates and manages cross-account access for various access policies, e.g., IAM trust role policies, S3 bucket policies, and SQS access policies, and how to configure Turbot policies to deny untrusted cross-account access.

Elements in a Policy

The basic elements in a policy are:

  • Sid: Unique identifier for each statement
  • Effect: Can be set to “Allow” or “Deny”
  • Principal: Principal entity that is allowed/denied access to the resource(s)
  • Action: IAM actions that are allowed/denied
  • Resource: Object(s) included in this statement
  • Condition: Specify conditions for when this statement is in effect

More information on all elements can be found in IAM JSON Policy Elements Reference.

Process of Evaluating Cross-Account Access

The principal in each statement supports the following types:

  • AWS: AWS account ID, IAM user, or IAM role
  • Federated: Web identity source, e.g., graph.facebook.com, accounts.google.com, or SAML identity provider
  • Service: AWS service, e.g., cloudtrail.amazonaws.com, s3.amazonaws.com
  • Anonymous: Grant anonymous access with * or "AWS": "*"

Only AWS and Federated (specifically for SAML providers) principals are checked for cross-account access as the other types of principals are evaluated in their own set of guardrails. For instance, the following S3 bucket policy allows s3:Get* access to AWS account IDs 290421329364 and 123123123123:

{
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'test2',
      Effect: 'Allow',
      Principal: {
        AWS: [
         'arn:aws:iam::290421329364:root',
         'arn:aws:iam::123123123123:root'
         ]
      },
      Action: [
        's3:Get*'
      ],
      Resource: 'arn:aws:s3:::test-cross-account'
      }
    }
  ]
}

Assuming that 290421329364 is the root account and 123123123123 is an untrusted account, then 123123123123 will be marked for removal from the S3 bucket policy.

Removing Cross-Account Access

Using the same S3 bucket policy example from above, AWS account 123123123123 is marked as untrusted:

{
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'test2',
      Effect: 'Allow',
      Principal: {
        AWS: [
         'arn:aws:iam::290421329364:root',
         'arn:aws:iam::123123123123:root'
         ]
      },
      Action: [
        's3:Get*'
      ],
      Resource: 'arn:aws:s3:::test-cross-account'
      }
    }
  ]
}

If AWS > S3 > Bucket Policy Cross-Account Access is set to Enforce: Deny cross-account access or Enforce: Deny cross-account access except from AWS > S3 > Trusted Accounts, then Turbot will remove just the untrusted AWS account ID from the principal field and update the bucket policy:

{
  Version: '2012-10-17',
  Statement: [
    {
      Sid: 'test2',
      Effect: 'Allow',
      Principal: {
        AWS: 'arn:aws:iam::290421329364:root'
      },
      Action: [
        's3:Get*'
      ],
      Resource: 'arn:aws:s3:::test-cross-account'
      }
    }
  ]
}

If the statement’s principal field is empty after Turbot removes any untrusted principals, then that statement will be deleted entirely (as statements must have at least 1 principal).

Restricting Cross-Account Access to IAM Roles

Cross-account access to IAM queues can be prevented through AWS > IAM > Queue Access Policy Cross-Account Access, which is set to Skip by default. This policy currently supports the following values:

Skip
Check: Deny cross-account access
Check: Deny cross-account access except from IAM > Trusted Accounts (DEPRECATED)
Check: Deny cross-account access except from AWS > IAM > Trusted Accounts
Enforce: Deny cross-account access
Enforce: Deny cross-account access except from IAM > Trusted Accounts (DEPRECATED)
Enforce: Deny cross-account access except from AWS > IAM > Trusted Accounts

Note: The following values have been deprecated and will be removed in a future major version:

  • Check: Deny cross-account access except from IAM > Trusted Accounts
  • Enforce: Deny cross-account access except from IAM > Trusted Accounts

Setting the policy value to Enforce: Deny cross-account access will remove ANY cross-account access in the principal field of each statement, even if the accounts are in AWS > IAM > Trusted Accounts.

To allow specific trusted accounts access:

  • Set AWS > IAM > Role Trust Policy Cross-Account Access to Check/Enforce: Deny cross-account except from AWS > IAM > Trusted Accounts
  • Add the AWS account IDs and/or Turbot account IDs to AWS > IAM > Trusted Accounts, e.g.,
- 123456123456
- 388229429392
- abc

Note: The account that the role was created in is always treated as a trusted account, even if not specified in AWS > IAM > Trusted Accounts.

If a statement has no principals after cross-account access has been removed, then the statement will be deleted. If Turbot would delete all statements from the role trust policy, Turbot will then replace all statements with a single statement that allows the root account ARN permission to assume that role, as a role trust policy cannot be empty or deleted.

Restricting Cross-Account Access to S3 Buckets

Cross-account access to S3 buckets can be prevented through AWS > S3 > Bucket Cross-Account Access, which is set to Skip by default. This policy currently supports the following values:

Skip
Check: Deny cross-account access
Check: Deny cross-account access except from S3 > Trusted Accounts (DEPRECATED)
Check: Deny cross-account access except from AWS > S3 > Trusted Accounts
Enforce: Deny cross-account access
Enforce: Deny cross-account access except from S3 > Trusted Accounts (DEPRECATED)
Enforce: Deny cross-account access except from AWS > S3 > Trusted Accounts

Note: The following values have been deprecated and will be removed in a future major version:

  • Check: Deny cross-account access except from S3 > Trusted Accounts
  • Enforce: Deny cross-account access except from S3 > Trusted Accounts

Setting the policy value to Enforce: Deny cross-account access will remove ANY cross-account access in the principal field of each statement, even if the accounts are in AWS > S3 > Trusted Accounts.

To allow specific trusted accounts access:

  • Set AWS > S3 > Bucket Cross-Account Access to Check/Enforce: Deny cross-account except from AWS > S3 > Trusted Accounts
  • Add the AWS account IDs and/or Turbot account IDs to AWS > S3 > Trusted Accounts, e.g.,
- 123456123456
- 388229429392
- abc

Note: The account that the bucket was created in is always treated as a trusted account, even if not specified in AWS > S3 > Trusted Accounts.

If a statement has no principals after cross-account access has been removed, then the statement will be deleted. If Turbot deletes statements from the bucket policy and there are no statements left, then the bucket policy will be deleted.

Restricting Cross-Account Access to SQS Queues

Cross-account access to SQS queues can be prevented through AWS > SQS > Queue Access Policy Cross-Account Access, which is set to Skip by default. This policy currently supports the following values:

Skip
Check: Policy does not allow cross-account access (DEPRECATED)
Check: Deny cross-account access
Check: Deny cross-account access except from AWS > SQS > Trusted Accounts
Enforce: Policy does not allow cross-account access (DEPRECATED)
Enforce: Deny cross-account access
Enforce: Deny cross-account access except from AWS > SQS > Trusted Accounts

Note: The following values have been deprecated and will be removed in a future major version:

  • Check: Policy does not allow cross-account access
  • Enforce: Policy does not allow cross-account access

Setting the policy value to Enforce: Deny cross-account access will remove ANY cross-account access in the principal field of each statement, even if the accounts are in AWS > SQS > Trusted Accounts.

To allow specific trusted accounts access:

  • Set AWS > SQS > Queue Access Policy Cross-Account Access to Check/Enforce: Deny cross-account except from AWS > SQS > Trusted Accounts
  • Add the AWS account IDs and/or Turbot account IDs to AWS > SQS > Trusted Accounts, e.g.,
- 123456123456
- 388229429392
- abc

Note: The account that the queue was created in is always treated as a trusted account, even if not specified in AWS > SQS > Trusted Accounts.

If a statement has no principals after cross-account access has been removed, then the statement will be deleted. If Turbot deletes statements from the queue access policy and there are no statements left, then the queue access policy will be deleted.

Was this article helpful?
0 out of 0 found this helpful