Pratik Garg
Pratik Garg

Reputation: 847

Understanding IAM Roles

Let's assume a User 'ABC' has 'EC2 Full Access' policy attached to it. Role is also available for 'S3 Full access' and EC2 can assume this role. Does that mean ABC indirectly can access S3? I am bit confused here. Also, any user who can logged-in to the EC2 machine can assume this role and can access S3. How can I control this so that application which was deployed by user 'ABC' can assume this role not by other users application?

Upvotes: 2

Views: 628

Answers (1)

Chris Williams
Chris Williams

Reputation: 35258

I'll try to break down from your question.

Firstly you have a role that could have the 'S3 Full Access'. If this is be attached to a service you will need to create a trust policy that says that service can be used.

How roles work with services differs on the service, for example an EC2 host by default will use temporary credentials from the IAM role that are assumed without any user input. Whereas Redshift requires you to explicitly specify the role Arn when you want the service to assume the role (for example to copy objects from S3).

This means if anyone can access the EC2 instance, if they call the AWS API via SDK or CLI they will have the same permissions as the EC2 host (taken from the role).

If a IAM user wants to gain access to the role but does not have access to the EC2 host they would need to perform sts:AssumeRole to be able to assume the role the EC2 host is using. In addition the principal for the role would also need to whitelist either the account or the specific user Arn to assume.

Upvotes: 1

Related Questions