Posted On: May 4, 2021

AWS Identity and Access Management (IAM) now supports policy conditions to help manage permissions for AWS services that access your resources. Many AWS services require access to your internal resources to perform tasks, and they often use their own service identity called a service principal to achieve this. Using the new service principal conditions, it is simple to author rules that enforce a rule for all your service principals, or exclude service principals from certain permission rules that are intended only for your own identities.

For example, to send logging data to your S3 buckets with AWS Cloudtrail, you need to grant CloudTrail's service principal access to a destination bucket you control. Say that you want to require that anyone who accesses your S3 bucket must use AWS PrivateLink, but still allow the AWS CloudTrail service principal to send data. Now you can easily author your S3 bucket policy to deny access unless the request uses your PrivateLink endpoint, or if the principal making the request is an AWS service principal.

The new IAM policy conditions are aws:PrincipalIsAWSService, aws:PrincipalServiceName, and aws:PrincipalServiceNamesList. You can get started with these new conditions in your IAM policies at no additional cost. For more information, please visit the documentation on AWS Global Condition Keys.