Reputation: 1131
Mimic user permissions on AWS EC2 instances using IAM roles
I'm setting up an AWS account with several users. Each of these users has policies attached that restrict their access to specific S3 buckets/objects and the EC2 instance types / Autoscaling Groups they can launch.
Users can launch multiple on-demand / spot instances at any given time. I want to make sure that the instances that a specific user launches have the same permissions or restrictions as the user that launched them. I'm sure I can find a way of setting up the corresponding user credentials on startup but I'd rather use roles for this.
I've been able to create a role and an instance profile to launch an EC2 instance and get S3 access with temporary credentials instead of setting up the user's access key ID and secret access key on that instance. However, is there any way of having the role mimic the user's permission so any instance launched by that user has their same restrictions? Right now a user could simply use this role to launch an EC2 instance and use that instance to access S3 buckets and objects he should not be able to access otherwise. Furthermore, some of the policies use the aws:username variable, which is not available when the principal is an assumed role.
One workaround seems to create user-specific roles with the same policies as the ones attached to the user, but this seems like a bad approach, specially if I have a big number of users that I constantly update permissions for. I'm also unsure if I'm able to restrict users from assuming roles different than their corresponding ones. Lastly, this still would not work for policies that use the aws:username.
What are my options here? What would be a good practice in this scenario?
Upvotes: 1
Views: 136
Answers (1)
Reputation: 13107
What you're looking for is an IAM permissions boundary.
The idea is that you designate an IAM policy that describes the maximum that a user is allowed to do. You can attach this policy as a permissions boundary to a principal, and it will limit how many privileges they can get.
If your users need to be able to create an IAM role (e.g., to be used in an EC2 instance profile), you can give them permission to do that under the condition that they attach a permissions boundary to that role. Here's an example of that:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOrChangeRoleOnlyWithBoundary",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
}
}
},
]
}
The policy is taken from a blog post about this subject that I wrote a while ago. (Usual disclaimer: I wrote this post, it's relevant to the question)
Upvotes: 3
Related Questions
- How can I get the highlights of my result set in Hibernate search 6?
- Get document scores within Hibernate Search
- Highlighting in Hibernate Search 6 and Elasticsearch backend
- How to make a Hibernate SearchSession return results with unique attributes?
- Hibernate Search 6 with Lucene Highlighter and Synonym List
- How to do highlighting within HibernateSearch over Elasticsearch
- Hibernate search highlighting not analyzed fields
- How to display hibernate search results using QueryBuilder, Lucene Query & FullTextQuery?
- How to display score of Hibernate Search query results
- Hibernate Search Result Ranking