Understanding Effective Conditions
Policy conditions, when they exist, are always restrictions on the scenarios in which a policy applies.
Every PolicyShard
object will have a EffectiveCondition
object, even if the EffectiveCondition
has no inclusions
or exclusions
specified.
What is an inclusion/exclusion?
An EffectiveCondition
inclusion
is a Condition
which
must be true, for a PolicyShard
to apply.
An EffectiveCondition
exclusion
is a Condition
which
must be false, for a PolicyShard
to apply.
>>> from policyglass import PolicyShard, EffectiveAction, Action, EffectiveResource, Resource, EffectivePrincipal, Principal, EffectiveCondition, Condition
>>> effective_condition = EffectiveCondition(
... inclusions=frozenset({
... Condition("aws:PrincipalOrgId", "StringEquals", ["o-123456"]),
... }),
... exclusions=frozenset({
... Condition(key="TestKey", operator="BinaryEquals", values=["QmluYXJ5VmFsdWVJbkJhc2U2NA=="])
... }),
... )
>>> policy_shard = PolicyShard(
... effect="Allow",
... effective_action=EffectiveAction(Action("*")),
... effective_resource=EffectiveResource(Resource("*")),
... effective_principal=EffectivePrincipal(Principal("AWS", "*")),
... effective_condition=effective_condition
... )
This effective_condition
’s inclusions
dictate that for Action
, Resource
and Principal
to be allowed, then at the time the API call takes place the
following be true:
aws:PrincipalOrgId
mustStringEquals
a value ofo-123456
.TestKey
must NOTBinaryEquals
a value ofQmluYXJ5VmFsdWVJbkJhc2U2NA==
When would an exclusion occur?
An EffectiveCondition
exclusion
is quite a rare phenomenon.
Normally when Deny
PolicyShard
conditions are folded into
Allow
PolicyShard
objects, they are reversed using the
reverse
attribute.
For example StringNotEquals
on a Deny
PolicyShard will become StringEquals
on an Allow
PolicyShard.
This simplifies the intelligibility of the Allow
shards significantly.
When a Deny
statement has a condition that cannot be reversed (e.g. BinaryEquals
for which there is no corresponding BinaryNotEquals
)
then the condition must be placed into the exclusions
of the effective_condition
of the Allow
PolicyShard.