check for existence of an AWS ARN from within an IAM policy and execute actions based upon this

Question

I need to to be able to do this "pseudo code" from within an IAM policy

If (ARN exists) then Execute actions block on listed resoures else Do nothing and continue fi

My idea.

ARN1 is an SSO permissioon set looking like (say) - listed below. a clean deny on IAM. arn:aws:sso:::permissionSet/ssoins-77778f8b38f9c920/ps-e29f0cbbb9e35f55

{ "Version": "2012-10-17", "Statement": [ { "Sid": "NoOpPolicyForAwsSsoEnvAndPrivSettings", "Effect": "Deny", "Action": "IAM:", "Resource": "" } ] }

The user logs into SSO group2 that CAN see ARN1 because they are ALSO in SSO group1 where ARN1 is attached .

WHEN RUNNING this policy section flow what happens with the ec2 actions when

ARN1 IS visible
ARN1 is NOT visible

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EC2WithAwssoViewerPermSet", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeTags", "ec2:DescribeSnapshots", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "iam:ListPolicies" ], "Resource": [ "arn:aws:ec2:::*", "arn:aws:sso:::permissionSet/ssoins-77778f8b38f9c920/ps-e29f0cbbb9e35f55" ] },





thanks


Need a thought experiment analysis from  IAM experts ;-)

Perhaps you could do this test in code outside of the policy and generate the appropriate policy based on the condition. For example, using CDK. — jarmod, Oct 25 '22 at 18:41
Thanks. But I need to bne able to TEST for the existence of an ARN during IAM policy evalution and then execute based upon its existence. Not via TF or CFN. — ivan, Oct 25 '22 at 22:41

check for existence of an AWS ARN from within an IAM policy and execute actions based upon this

0 Answers0