Noam Dahan
@noamdahan.bsky.social
Cloud security researcher at CrowdStrike, European Universities Debating Champion (for my sins). My 5th grade teacher said I was disruptive.
RCPs apply to every request directed at a resource in the account. So we can implement the policy we wanted.
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
![VS Code screenshot:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOrgIdentities",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::AwesomeCats-af4v81b2",
"arn:aws:s3:::AwesomeCats-af4v81b2/*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:PrincipalAccount": [
"<load-balancing-account-id>",
"<fin-space-account-id>",
"<third-party-account-a>",
"<third-party-account-b>"
],
"aws:ResourceTag/dp:exclude:identity": "true"
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
}
]
}](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:m76pqh5glrkcipnlx5vocvri/bafkreidljhygvynifizgak5kik3izpcdtxkeb3wceufsfr2emlhxwciz2y@jpeg)
November 15, 2024 at 11:02 AM
RCPs apply to every request directed at a resource in the account. So we can implement the policy we wanted.
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
RCPs (Resource Control Policies) launched in AWS, yay!
I imagine the reactions are generally divided into three:
1. This is awesome! We've been waiting for this for a long time! (yes you're very itk see you at fwd:cloudsec)
2. Cool! Love it! What are they?
3. Didn't SCPs already solve that? 🤔
🧵
I imagine the reactions are generally divided into three:
1. This is awesome! We've been waiting for this for a long time! (yes you're very itk see you at fwd:cloudsec)
2. Cool! Love it! What are they?
3. Didn't SCPs already solve that? 🤔
🧵
November 15, 2024 at 11:02 AM
RCPs (Resource Control Policies) launched in AWS, yay!
I imagine the reactions are generally divided into three:
1. This is awesome! We've been waiting for this for a long time! (yes you're very itk see you at fwd:cloudsec)
2. Cool! Love it! What are they?
3. Didn't SCPs already solve that? 🤔
🧵
I imagine the reactions are generally divided into three:
1. This is awesome! We've been waiting for this for a long time! (yes you're very itk see you at fwd:cloudsec)
2. Cool! Love it! What are they?
3. Didn't SCPs already solve that? 🤔
🧵