IAM rules and exceptions

[haveano]

Is it possible to write IAM rules with exceptions?

What is my goal? To blacklist every '*' bucket with 'allUsers' except buckets "abc" and "xyz".

If this is possible, can you please provide me an example?

Thanks and BR,

HaveAno

[Gregg Kowalski]

Hello,

The legacy Forseti scanners and rules do not allow for exemptions to be configured. However, the Config Validator scanner does support exemptions. We highly recommend migrating to Config Validator for scanning as we do not plan on adding or updating any functionality with the other scanners. If you are not using Config Validator, please see these helpful resources:

• Overview
• How to Setup
• How to Configure

Here is an example Config Validator policy that will allow you to scan for public buckets and provide exemptions: https://github.com/forseti-security/policy-library/blob/master/samples/storage_denylist_public.yaml. Please note that Config Validator does not scan for the ACL on the buckets, and only scans for the IAM policies. To take full advantage of this, you would want to also look at enabling uniform bucket-level access.

Hope that helps,

Gregg

--
You received this message because you are subscribed to the Google Groups "Forseti Security Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/discuss/29b926f4-dbe8-4a67-ba04-a664645cc75co%40forsetisecurity.org.