1

Is it possible to exclude a volume from explicit deny in AWS IAM Policy

{
      "Sid": "DenyCreationOfUnencryptedEBSVOL",
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },

That block any volumes being created unencrypted.

Thinking that using a combination of conditions will allow only volumes with Name Value contained in the value anywhere in the value.

"Test_Unencrypted"

{
      "Sid": "DenyCreationOfUnencryptedEBSVOL",
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        },
        "StringNotLike": {
          "aws:ResourceTag/Name":"*Test_Unencrypted*"
        }
      }
    },

Is it possible to exclude single resource from deny like above?

DeclanG
  • 240
  • 2
  • 6
  • 21

1 Answers1

3

You can use the key NotResource. Example:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "s3:*",
    "NotResource": [
      "arn:aws:s3:::HRBucket/Payroll",
      "arn:aws:s3:::HRBucket/Payroll/*"
    ]
  }
}

This applies the deny action to all resources except the mentioned Objects.

Example taken from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

Edit: I see now you probably also mean to exclude resources that have a certain tag attached to them. So when the test_unencrypted tag is present you allow it to be created. I think you can also use the StringNotEquals with aws:RequestTag/MyTagKey: MyTagValue condition key for this. Then you can create volumes only if you provide the tag. Note that this condition is only present for api calls that either set or remove tags (CreateVolume supports this)

LRutten
  • 1,634
  • 7
  • 17
  • thanks LRutten, will try it out – DeclanG Sep 21 '21 at 19:49
  • Looks like need to combine the string equals for volumes https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-manage-volumes – DeclanG Sep 21 '21 at 19:56
  • Sorry but your post only mentions the case of excluding resources. Why wouldn't the notresource not be sufficient? – LRutten Sep 21 '21 at 20:13
  • Ah sorry I misunderstood the second part of your question. Do you mean that you want to exclude the deny action to all resources that have the test_unencrypted tag on them? – LRutten Sep 21 '21 at 20:28
  • Hey LRutten, yes thats exactly what I was asking – DeclanG Sep 22 '21 at 13:55
  • looks like the notresource is not supported on scp level also , assumption was the IAM was transferable – DeclanG Sep 22 '21 at 16:33
  • That's correct SCPs do not fully support this – LRutten Sep 22 '21 at 20:35