Forward access sessions - Amazon Identity and Access Management
FAS Requests and IAM policy conditionsExample: Allow Amazon S3 access from a VPC or with FAS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Forward access sessions

Forward access sessions (FAS) is an IAM technology used by Amazon services to pass your identity, permissions, and session attributes when an Amazon service makes a request on your behalf. FAS uses the permissions of the identity calling an Amazon service, combined with an Amazon service’s identity to make requests to downstream services. FAS requests are only made to Amazon services on behalf of an IAM principal after a service has received a request that requires interactions with other Amazon services or resources to complete. When a FAS request is made:

  • The service that receives the initial request from an IAM principal checks the permissions of the IAM principal.

  • The service that receives a subsequent FAS request also checks the permissions of the same IAM principal.

For example, FAS is used by Amazon S3 to make calls to Amazon Key Management Service to decrypt an object when SSE-KMS was used to encrypt it. When downloading an SSE-KMS encrypted object, a role named data-reader calls GetObject on the object against Amazon S3, and does not call Amazon KMS directly. After receiving the GetObject request and authorizing data-reader, Amazon S3 then makes a FAS request to Amazon KMS in order to decrypt the Amazon S3 object. When KMS receives the FAS request it checks the permissions of the role and only authorizes the decryption request if data-reader has the correct permissions on the KMS key. The requests to both Amazon S3 and Amazon KMS are authorized using the role’s permissions and is only successful if data-reader has permissions to both the Amazon S3 object and the Amazon KMS key.

A flow diagram of an IAM role being passed as the principal to Amazon S3 and then to Amazon KMS.
Note

Additional FAS requests can be made by services who have received a FAS request. In such cases, the requesting principal must have permissions for all services called by FAS.

FAS Requests and IAM policy conditions

When FAS requests are made, aws:CalledVia, aws:CalledViaFirst, and aws:CalledViaLast condition keys are populated with the service principal of the service that initiated the FAS call. The aws:ViaAWSService condition key value is set to true whenever a FAS request is made. In the following diagram, the request to CloudFormation directly does not have any aws:CalledVia or aws:ViaAWSService condition keys set. When CloudFormation and DynamoDB make downstream FAS requests on the behalf of the role, the values for these condition keys are populated.

A flow diagram of an IAM role being passed as the principal to CloudFormation and then passing the condition key values to DynamoDB and Amazon KMS.

To allow a FAS request to be made when it would otherwise be denied by a Deny policy statement with a condition key testing Source IP addresses or Source VPCs, you must use condition keys to provide an exception for FAS requests in your Deny policy. This can be done for all FAS requests by using the aws:ViaAWSService condition key. To allow only specific Amazon services to make FAS requests, use aws:CalledVia.

Important

When a FAS request is made after an initial request is made through a VPC endpoint, the condition key values for aws:SourceVpce, aws:SourceVpc, and aws:VpcSourceIp from the initial request are not used in FAS requests. When writing policies using aws:VPCSourceIP or aws:SourceVPCE to conditionally grant access, you must also use aws:ViaAWSService or aws:CalledVia to allow FAS requests. When a FAS request is made after an initial request is received by a public Amazon service endpoint, subsequent FAS requests will be made with the same aws:SourceIP condition key value.

Example: Allow Amazon S3 access from a VPC or with FAS

In the following IAM policy example, Amazon S3 GetObject and Athena requests are only allowed if they originate from VPC endpoints attached to example_vpc, or if the request is a FAS request made by Athena.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "OnlyAllowMyIPs",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject*",
        "athena:StartQueryExecution",
        "athena:GetQueryResults",
        "athena:GetWorkGroup",
        "athena:StopQueryExecution",
        "athena:GetQueryExecution"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVPC": [
            "example_vpc"
          ]
        }
      }
    },
    {
      "Sid": "OnlyAllowFAS",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject*"
      ],
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:CalledVia": "athena.amazonaws.com"
        }
      }
    }
  ]
}

For additional examples of using condition keys to allow FAS access, see the data perimeter example policy repo.