It is recommended to specify permissions based on the users identity when creating access policies in ECS IAM.
As to create policies that contain user-specific information, the user identity should be available in SAML keys. The following SAML keys can be used in policy conditions to create unique user identifiers.
SAML keys
Description
saml:namequalifier
A hash value based on the concatenation of the Issuer response value (saml:iss) and a string with the ECS namespace (account ID) and the friendly name (the last part of the ARN) of the SAML provider in IAM. The namespace (account ID) and provider name must be separated by a '/' as in "123456789012/provider_name".
The combination of
NameQualifier and
Subject can be used to uniquely identify a federated user. The following pseudocode shows how this value is calculated. In this pseudocode, "+" indicates concatenation, SHA1 represents a function that produces a message digest using SHA-1, and Base64 represents a function that produces Base-64 encoded version of the hash output.
This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization. For example,
_3e52ef03414f3464d2461c00ebae0152c25fb88bbc.
saml:sub_type
This key can be persistent, transient, or the full Format URI from the
Subject and
NameID elements used in your SAML assertion. A value of persistent indicates that the value in
saml:sub is the same for a user across all sessions. If the value is transient, the user has a different
saml:sub value for each session.
IAM Policy
The following example shows a permission policy that uses the preceding keys to grant permissions to a user-specific folder in Amazon S3. The policy assumes that the Amazon S3 objects are identified using a prefix that includes both
saml:namequalifier and
saml:sub. Notice that the
Condition element includes a test to be sure that
saml:sub_type is set to persistent. If it is set to transient, the
saml:sub value for the user can be different for each session, and the combination of values should not be used to identify user-specific folders.