What is the purpose of 'resource' in an AWS resource policy?

Question

As per title, what is the purpose of having the resource field when defining a resource policy when the resource policy is already going to be applied to a particular resource.

For example, in this aws tutorial, the following policy is defined an attached to a queue. What is the purpose of the resource field?

{
 "Version": "2008-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
     "AWS": "*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "arn:aws:sqs:REGION:ACCOUNT-ID:QUEUENAMEHERE",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }
  }
 ]
}

WaltDe · Accepted Answer

S3 is a good example of where you need to include the resource statement in the policy. Let's say you want to have a upload location on S3 bucket.

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"Upload",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:PutObject"],
      "Resource":["arn:aws:s3:::examplebucket/uploads/*"]
    }
  ]
}

In these cases you really don't want to default the Resource to the bucket as it could accidentally cause global access. It is better to make sure the user clearly understands what access is being allowed or denied.

But why make it required for resource policies where it isn't need like SQS? For this let's dive into how resource policies are used.

You can grant access to a resources 2 ways:

Identity based policies for IAM principals (users and roles).
Resource based policies

The important part to understand is how are resource polices used? Resource policies are actually used by IAM in the policy evaluation logic for authorization. To put it another way, resources are not responsible for the actual authorization that is left to IAM (Identity and Access Management).

Since IAM requires that every policy statement have a Resource or NotResource this means the service would need to add the resource when sending it to IAM if it was missing. So let us look at the implications from a design perspective of having the service add the resource if it is missing.

The service no longer would need to just verify the policy is correct.
If the resource is missing from the statement the service would need to update the policy before sending it to IAM.
There is now the potential for two different versions of a resource policy. The one the user created for editing and the one sent to IAM.
It increases the potential for user error and accidentally opening up access by attaching a policy to the wrong resource. If we modify the policy statement in the question drop the resource and condition statement we have a pretty open policy. This could easily be attached to the wrong resource especially from the CLI or terraform.

  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
     "AWS": "*"  
   },
   "Action": [
    "*"
   ]
  }

Note I answered this from a general design perspective based on my understanding of how AWS implements access management. How AWS implemented the system might be a little different but I doubt it because policy evaluation logic really needs to be optimized for performance so it's better do to that in in one service, IAM, instead of in each service.

Hope that helps.

Extra reading if you are interested in the details of the Policy Evaluation Logic.

You can deny access 6 ways:

Identity Policy
Resource policies
Organizational Polices if your account is part of an organization
IAM permission boundaries if set
Session Assumed Policy if used
Implicitly if there was no allow policy

Here is the complete IAM policy evaluation logic workflow.

What is the purpose of 'resource' in an AWS resource policy?

Answers (2)

Related Questions

What is the purpose of &#39;resource&#39; in an AWS resource policy?

Answers (2)

Related Questions

What is the purpose of 'resource' in an AWS resource policy?