I want to create a role for a Lambda function that allows it to create/update/delete any resource, as long as that resource was also created by it. For example, it should be able to create an SQS queue and do anything with it, but it should not have access to any other SQS queues from that AWS account.
Can this be achieved using IAM policies?
I've tried to use resourceTag and requestTag conditions for this, allowing the role to create or modify a resource only if is tagged with a specific value. Unfortunately, a lot of AWS services do not support authorization based on tags.
Are there other options for achieving this?
You could create IAM policies that only allow a user to create, update, delete resources that have a particular naming scheme. For example, you could set the policy's resource arn to have "/username*". The user would only be able to create resources that start with their username and effect those resources. They wouldn't be able to effect resources created that started with another users name and vice-versa.
It is very hard to do in practice. You would have to combine the tags that you already mentioned, along with permission boundaries.
I think the best way to achieve this is to give you application its own dedicated AWS account, so that you can scope its permissions to that account, and it doesn't have the ability to impact other applications.
Related
I want to implement a security measure that enables any authenticated user to delete any AWS resource only on approval from any other member.
The main objective is to make sure that, if the creds are compromised, the user should not be able to delete any resource without approval.
Looking forward to get some expert advise and discussion on this.
I understand, the least access privilege and MFA, but still it is fulfilling our requirements.
Since this is not directly supported by AWS, you will have to set up a custom solution for this.
This is one possible solution:
Create a role with delete permissions.
Create a Lambda to use that role to delete a resource.
Implement the Lambda to only processes the delete request if the input includes at least two approvals. (This part depends on your org authentication mechanism. Could be LDAP, short term access tokens, etc)
This fulfills the two requirements you mentioned:
a security measure that enables any authenticated user to delete any AWS resource only on approval from any other member.
The Lambda will only process the request if there is at least 2 approvals.
if the creds are compromised, the user should not be able to delete any resource without approval.
In this design there are no credentials. The role you created can only be assumed by the Lambda. You can further improve the security by only allowing certain Users, Roles or Groups to be able to execute the Lambda.
I understand the resources and identity iam policies and im trying to restrict access to a group or user to only the resources this group or user will create.
Note the resources are not yet created, so i dont have a resource arn for the ec2/s3/ecs etc. i can use in the policy definition.
I have tried to create a policy with all actions on ec2 and restrict it to a resources set to a specific group but i have an error message stating the resources are not set properly
Thanks a lot for your time and consideration
This isn't really a question anyone can answer properly. So here are a few pointers to get you going in the right direction;
AWS Service Control Policies - https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html and https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
AWS Control Tower - https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
AWS Policy Generator - https://awspolicygen.s3.amazonaws.com/policygen.html
All that being said, I'm not aware of a way to do what you are asking. Any AWS account is designed to be a platform for the organisation, not an individual use case. It's top down, not bottom up.
If User X wants their own separate playground, set them up with their own Account under the main Organisation, but you probably won't want to do this per user, more groups/teams of people in most organisations.
We want to have deployment users to use in our pipelines, purely for programmatic access. These users will be created per project, rather than using one deployment user for all stacks.
I'm trying to lock down the resources that these deployment users have permission to change, but I'm struggling due to the fact that the ARN is not yet known until the stack is created, meaning that creating the IAM policy to restrict it to only certain resources is proving difficult.
For example, say I want to create an application load balancer (with listeners, rules etc) - I want the deployment user to have permission to create an ALB (easy enough) but I want the deployment user to only have permission to delete or modify the newly created ALB, not any other ALBs.
Any tips / smart ways to do this? The ARNs are generated and "random" as I dislike naming my resources and having to modify the names if I change a setting that requires replacement.
You can use IAM policy conditions to restrict access to resources based on tags.
For example, you can add two policy statements with a condition element to allow specific actions on a resource:
User1 can create a resource only if the request contains owner=user1 tag.
User1 can update or delete a resource only if owner=${aws:username} tag is attached to the resource.
You can find policy example in this guide:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
I have users that have been added by other admins in my AWS account. I am afraid that these users might get deleted by other people.
Is there a way to add a description to an IAM user?
I don't see any way to add description/tag when you create an IAM user. One suggestion is to create a IAM group for each admin and add the user to the admin's group when a user is created/added. You can have group(s) with no policy attached.
There is currently no way to add a description to a user. There are a number of better ways to solve your core issue however. Some of the IAM Best Practices specific to your use case include:
Use AWS Defined Policies to Assign Permissions Whenever Possible - AWS-managed policies are designed to support common tasks, such as deleting and creating users. Assign these policies to the users that need them.
Grant Least Privilege - Granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. This is probably the most important factor in preventing users from being deleted accidentally.
Monitor Activity in Your AWS Account - You can use logging features in AWS to determine the actions users have taken in your account, including deletion of users either accidentally or on purpose. Two very useful tools you should be using in this regard include:
AWS CloudTrail - CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, including user deletions.
AWS Config – Provides detailed historical information about the configuration of your AWS resources, including your IAM users, groups, roles, and policies.
As you can see, utilising the built-in tools that AWS provides can assist you in preventing administrators from deleting users unnecessarily.
As a workaround, you can add a TAG to your user with its key named "DESCRIPTION" and put in the description as a value. Note that for the value, you are very limited to the characters you can use. For instance, you cannot use the apostrophe ('). But it is better than nothing.
My intention is simple- to create a role that I can assign to a standard user of my AWS account so that they can read/write to one of my S3 buckets.
I've created a policy to apply to the role and I'm happy with that bit.
The thing I'm a bit confused about is the "Select Role type" screen in the management console (see attached image). I can't work out what I'm supposed to choose at this stage as none of the descriptions seem to apply to the simple thing I'm trying to achieve.
Does anyone have any idea?
I think you are on the wrong path here. Roles are not ACLs for users, but for systems and services.
See: IAM Roles
If you want to grant a user access to some AWS resources you should have a look at the policy section. Either use a pre-build (like AmazonS3ReadOnlyAccess or AmazonS3FullAccess) or define a policy on your own.
You can then assign this policy to a user. If you want to manage multiple users this way, you can also use groups to assign policies to users.