0

When I look at a 'Request Context' in Cloudtrail, I see record contents listed here.

  1. Is there a mapping between the 'Request Context' record contents and the Condition keys?
    Or is it correct to say that it is not mandatory for a condition to be present in the 'Request Context' but a Condition Key corresponding to the condition may still be available (AWS magic) to be used in a policy to evaluate this request? Are AWS‐wide keys that use prefix aws: available in all Request Contexts?

  2. When I use a Condition Key in a policy, how can I be sure that the Condition key is present in the Request Context?
    Of course, I can add an "ifexists" clause to check for the availability of a Condition key but that is a 'catch all' mechanism. How can I be certain that I need not use "Ifexists" clause when checking a Condition in a policy?

I have posted a different but related question here as well.

Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23

3 Answers3

1

Check out the Condition Keys Table to find the condition context keys available for an AWS Service that can be used in an IAM policy statement's Condition element.

junkangli
  • 1,152
  • 7
  • 14
1

Cloudtrail event only has a subset of information from the Request Context. We never get to see the whole (details of an) AWS Request Context - a subset of it is logged as Record Contents in the Cloudtrail Event.

Cloudtrail Event and Request Context are 2 different things. You can view some information about the Request Context as Record Contents in the Cloudtrail Event (only AWS sees the whole Request Context and checks it against permissions granted through policies to Allow / Deny the request).

Abhishek Palakkal Kaliyath
  • 567
  • 9
  • 23
0

I think you are confusing content of CT log event data:

with IAM condition keys for CloudTrial:

Also to check if policy key exist using ...IfExists or Null check.

If the key that you specify in a policy condition is not present in the request context, the values do not match.

The first one contains information about API calls in your CT trial, while the second is used in IAM policies to grant conditional permissions.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks @Marcin, so you mean to say that the Policy Evaluation mechanism in AWS has nothing to do with what is logged as a Request Context in Cloudtrail - right? The actual full 'Request Context' is probably not logged in Cloudtrail & only a subset from the actual full 'Request Context' is logged? – Abhishek Palakkal Kaliyath May 17 '20 at 07:39
  • @AbhishekPalakkalKaliyath Not sure what you mean. For example, when CT logs `errorMessage`, do you want to use `errorMessage` as a condition key in some IAM policy? Unfortunately, I don't know which fields recorded by CT can be used in IAM policies, if any. – Marcin May 17 '20 at 07:52
  • Ok @Marcin - I will explain. If I were to use "aws:SourceVpc" as a condition key, where is AWS looking for this information when evaluating permissions for a request - I thought AWS was looking in the 'Request Context' that also gets logged as an event in Cloudtrail. However, when I look at the Cloudtrail event, I could not see information about Source VPC recorded in the specific event. So, are they never visible to us or recorded anywhere? – Abhishek Palakkal Kaliyath May 17 '20 at 08:17
  • @AbhishekPalakkalKaliyath You mean [sessionContext](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in CT? This is only for temporary credentails (when you assume role using sts). I don't think the actuall request context that IAM uses to evaluate permissions is in the CT logs. – Marcin May 17 '20 at 09:06
  • Thanks@Marcin - I don't think the actual request context that IAM uses to evaluate permissions is in the CT logs. -Yeah, this is what I was after. No, I was not after sessionContext in CT. I think I am confusing between details in Cloudtrail Events and Request Context as the same. Like you said, we never get to see the whole details of an AWS Request Context - a subset of it is present in the Cloudtrail Event. Conversely, a Cloudtrail event logs some elements of the actual Request Context but not all elements. – Abhishek Palakkal Kaliyath May 17 '20 at 11:23
  • 1
    @AbhishekPalakkalKaliyath I agree. This seems to be the case. – Marcin May 17 '20 at 11:28
  • Done, I added a separate answer for clarity as well. – Abhishek Palakkal Kaliyath May 17 '20 at 11:48