Reputation: 847
Understanding IAM Roles
Let's assume a User 'ABC' has 'EC2 Full Access' policy attached to it. Role is also available for 'S3 Full access' and EC2 can assume this role. Does that mean ABC indirectly can access S3? I am bit confused here. Also, any user who can logged-in to the EC2 machine can assume this role and can access S3. How can I control this so that application which was deployed by user 'ABC' can assume this role not by other users application?
Upvotes: 2
Views: 628
Answers (1)
Reputation: 35258
I'll try to break down from your question.
Firstly you have a role that could have the 'S3 Full Access'. If this is be attached to a service you will need to create a trust policy that says that service can be used.
How roles work with services differs on the service, for example an EC2 host by default will use temporary credentials from the IAM role that are assumed without any user input. Whereas Redshift requires you to explicitly specify the role Arn when you want the service to assume the role (for example to copy objects from S3).
This means if anyone can access the EC2 instance, if they call the AWS API via SDK or CLI they will have the same permissions as the EC2 host (taken from the role).
If a IAM user wants to gain access to the role but does not have access to the EC2 host they would need to perform sts:AssumeRole to be able to assume the role the EC2 host is using. In addition the principal for the role would also need to whitelist either the account or the specific user Arn to assume.
Upvotes: 1
Related Questions
- IAM Roles and instance profile
- IAM Role as a Principal
- Clouformation assumable role
- Assuming role in AWS
- AWS: To Role or not to Role?
- IAM - Purpose of role identity in AWS
- AWS: Assinging IAM roles to IAM users
- What are roles in IAM?
- Understanding on concept of IAM role on EC2
- Confused about IAM Roles, Policies, Statements and Actions