Jeff
Jeff

Reputation: 36583

AWS IAM user role or policy self contained

I'd like to create a user in IAM that can basically do anything (create, modify, delete) to resources that are created by that user itself.

This would include creation of other roles and policies...but again only such ones that would allow controlling resources created by the parent user itself.

The purpose is to be able to create a CloudFormation template that can be run by a non admin user but still create all resources required (including things like instance profiles and lambda execution roles). All such resources could then only be managed by the owning user, thus allowing for autonomy and isolation.

I have a feeling this could be accomplished with conditions in the policy document, but not sure exactly how.

Upvotes: 2

Views: 606

Answers (1)

grepe
grepe

Reputation: 1977

This is by no means perfect solution, and I'm not sure if that is what you need, but I recently did something similar and this is how I solved it:

We have a role that has AmazonElasticMapReduceFullAccess and Cloudformation read-only policies (managed by amazon) and one additional custom policy with coloudformation:DeleteStack permission (for deleting the EMR cluster resources).

You can restrict IAM policies on resource level. For example, the custom policy for deleting stacks looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:DeleteStack"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/EMRCluster*"
    }
  ]
}

The way it works is that when the user needs an EMR cluster, they assume the role and create a stack named EMRCluster<date>-<UUID> and when they are done they remove the cluster resources using Cloudformation. This is, strictly speaking, not really necessary, since the user already has the EMR full access and can remove the resources (not only his) from EMR web console or via boto3 EMR API... It just makes things easier and allows the user to just do a single call to Cloudformation instead of managing EMR directly. It may look a bit funny to create and delete clusters with Cloudformation instead of directly, but it is much easier to manage a single JSON template than your custom configuration...

If you don't like that your user should have the entire EMR full access permission (quite a lot), I suggest that you play around with the EMR full access policy to allow user to create only certain resources and restrict removing resources in similar manner. Maybe you can give the user only a permission to call Cloudformation with certain template instead of that? I'm not sure if that would work without other permissions though...

Additionally, you can set VisibleToAllUsers=False in your template (see the docs), so only the user that created it should be able to manage the cluster.

Upvotes: 1

Related Questions