What is Sid attribute use for in key policies?

amazon-web-services amazon-cloudformation aws-kms

18,928

Solution 1

In another part of the documentation AWS provides some additional information about the purpose of the Sid:

The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In IAM, the Sid value must be unique within a JSON policy.

So yes, it's just a description.

Solution 2

You can use Sid to refer to a specific statement in a long policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAll",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "DenyList",
            "Effect": "Deny",
            "Action": "s3:List*",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

For example when explain the policy, you can say that the AllowAll statement allows all S3 actions, but that DenyList denies all list actions. Imagine if those Sids weren't there, how would you refer to either of them?

This might be semantic nitpicking, but I disagree that it's "just a description", because descriptions don't have to be unique. Also Sid doesn't support spaces so it's really just an ID.

Update: Quoting AWS docs

Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it.

Solution 3

I don't think 'just a description' is enough to describe the meaning of Sid.

I think a better question would be: 'how can I use Sid to my advantage?'

Here is one example:

you could use Sid to process your policies in case you ever need to find the needle in the hay stack.

Example: you have 1k policies and would like to find the policy that does "S3DenyPublicReadACL". maybe you store that policy in an s3 bucket, so you can reuse it.

Solution: Write a script/lambda, find it and reuse it in an automatic way.

18,928

Cherry

Updated on June 02, 2022

Comments

Cherry almost 2 years

Here is a documentation:

Sid – (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement.

Does it means that Sid parameter is just description?
- Mark B over 6 years
  
  Yes that's exactly what it means, it is just a description.
Khoa Vo almost 3 years

The part you quoted says that it's an "optional identifier". If it's just a description, why would it have to be unique?
Brad Parks almost 3 years

It doesnt appear to be JUST a description - seems to not allow spaces or wildcards? So it's more of an identifier, from what I gather, and supports [a-z, A-Z, 0-9]
Brad Parks almost 3 years

and it has to be unique per policy, so you can use multiple sid identifiers for statements in your policy, but can't use the same sid more than once in that policy. You can repeat the same sids in different policies though.
maulik13 over 2 years

That part in the documentation is really not much of help. It does not mention how we could use it and does not give any useful examples either. It definitely does not look like a description.
maulik13 over 2 years

That is the right question to ask, and the documentation fails to provide any info about its use case.
user2770362 over 2 years

by referring do you mean reference in yaml or for description purposes?
Khoa Vo over 2 years

@user2770362 It can be used for both description and automation purposes. I'm not sure what you mean by "reference in yaml", but if you mean in a programmatic context then yes. I think it'd be useful to loop through all statements in a policy, and pick out the one with a specific name, for example.
Vivek Puurkayastha over 2 years

@KhoaVo this really should be the accepted answer...