Configuring Regular Expression to Extract Policy Username

Extract the policy username from the AWS identity.

Cloud Protect Lambda Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.

USERNAME_REGEX Lambda Environment configuration
The USERNAME_REGEX configuration can be used to extract policy username from user in the request. The following are allowed values for USERNAME_REGEX:
- 1 - Default build-in regular expression is used:
```
^arn:aws:(?:iam|sts)::[0-9]{12}:(?:role|user|group|assumed\-role|federated\-user)\/([\w\/+=,.\-]{1,1024}|[\w\/+=,.\-@]{1,1024})(?:@[a-zA-Z0-9\-]{1,320}(?:\.\w+)+)?$
```
- ^User regex$ - Custom regex with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.

USERNAME_REGEX	User in the request	Effective Policy User
Not Set	arn:aws:iam::123456789012:user/juliet.snow	arn:aws:iam::123456789012:user/juliet.snow
Not Set	arn:aws:sts::123456789012:assumed-role/TestSaml	arn:aws:sts::123456789012:assumed-role/TestSaml
1	arn:aws:iam::123456789012:user/juliet.snow	juliet.snow
1	arn:aws:sts::123456789012:assumed-role/TestSaml	TestSaml
`^arn:aws:(?:iam\|sts)::[0-9]{12}:((?:role\|user\|group\|assumed-role\|federated-user).*)$`	arn:aws:iam::123456789012:user/juliet.snow	user/juliet.snow
	arn:aws:sts::123456789012:assumed-role/TestSaml	assumed-role/TestSaml

Feedback

Was this page helpful?

Last modified : November 27, 2025