What is Sid attribute use for in key policies?
Solution 1
In another part of the documentation AWS provides some additional information about the purpose of the Sid:
The
Sid
(statement ID) is an optional identifier that you provide for the policy statement. You can assign aSid
value to each statement in a statement array. In services that let you specify anID
element, such as SQS and SNS, theSid
value is just a sub-ID of the policy document's ID. In IAM, theSid
value must be unique within a JSON policy.
So yes, it's just a description.
Solution 2
You can use Sid to refer to a specific statement in a long policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "DenyList",
"Effect": "Deny",
"Action": "s3:List*",
"Resource": "arn:aws:s3:::*"
}
]
}
For example when explain the policy, you can say that the AllowAll
statement allows all S3 actions, but that DenyList
denies all list actions. Imagine if those Sids weren't there, how would you refer to either of them?
This might be semantic nitpicking, but I disagree that it's "just a description", because descriptions don't have to be unique. Also Sid doesn't support spaces so it's really just an ID.
Update: Quoting AWS docs
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it.
Solution 3
I don't think 'just a description' is enough to describe the meaning of Sid.
I think a better question would be: 'how can I use Sid to my advantage?'
Here is one example:
- you could use Sid to process your policies in case you ever need to find the needle in the hay stack.
Example: you have 1k policies and would like to find the policy that does "S3DenyPublicReadACL". maybe you store that policy in an s3 bucket, so you can reuse it.
Solution: Write a script/lambda, find it and reuse it in an automatic way.
Related videos on Youtube
Cherry
Updated on June 02, 2022Comments
-
Cherry almost 2 years
Here is a documentation:
Sid – (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement.
Does it means that
Sid
parameter is just description?-
Mark B over 6 yearsYes that's exactly what it means, it is just a description.
-
-
Khoa Vo almost 3 yearsThe part you quoted says that it's an "optional identifier". If it's just a description, why would it have to be unique?
-
Brad Parks almost 3 yearsIt doesnt appear to be JUST a description - seems to not allow spaces or wildcards? So it's more of an identifier, from what I gather, and supports
[a-z, A-Z, 0-9]
-
Brad Parks almost 3 yearsand it has to be unique per policy, so you can use multiple
sid
identifiers for statements in your policy, but can't use the samesid
more than once in that policy. You can repeat the same sids in different policies though. -
maulik13 over 2 yearsThat part in the documentation is really not much of help. It does not mention how we could use it and does not give any useful examples either. It definitely does not look like a description.
-
maulik13 over 2 yearsThat is the right question to ask, and the documentation fails to provide any info about its use case.
-
user2770362 over 2 yearsby referring do you mean reference in yaml or for description purposes?
-
Khoa Vo over 2 years@user2770362 It can be used for both description and automation purposes. I'm not sure what you mean by "reference in yaml", but if you mean in a programmatic context then yes. I think it'd be useful to loop through all statements in a policy, and pick out the one with a specific name, for example.
-
Vivek Puurkayastha over 2 years@KhoaVo this really should be the accepted answer...