I am using ssm:tag of documents to restrict access to users based on user role and document tag. I have added a condition to IAM policy and it's working. But when I try to do this with cross account, it's not working.
1) My SSM documents are in Master account, shared with Child account
2) IAM Policy to restrict access based on tags is in Child account (Tag key: Role)
3) The request is made to Child account
Scenario 1: I can execute the documents successfully, when condition from the IAM Policy is removed. So the Child AWS account can fetch the SSM Documents from Master AWS account.
Scenario 2: I cannot execute the documents when filtered based on tags, i.e. condition added to teh IAM policy. This shows the Child AWS account is unable to fetch tags of SSM documents from Master AWS account.
Could someone please help me with this? Attaching the IAM Policy for reference.
IAM Policy Document:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": [
"arn:aws:s3:::ssm-deliverables/ssm-*",
"arn:aws:ec2:ap-south-1:20**********:instance/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ssm:ListCommandInvocations",
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ssm:SendCommand",
"Resource": "arn:aws:ssm:::document/*",
"Condition": {
"StringEquals": {
"ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
}
}
}
]
}
aws:PrincipalTag used here is one of the aws global condition context keys. We have to use the above key to compare the tag attached to a principal making request with the tag that you specify in the policy.
In this case, the principal is IAM User/Role to which the above policy is attached. So the IAM User/Role itself should be tagged with the same values mentioned in the IAM Policy.
For Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:StartInstances",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:resourceTag/Name": "${aws:PrincipalTag/Name}"
}
}
}
]
}
Assume that the above policy is attached to an IAM user who has wants to start an EC2 Instance, the user will be able to start the EC2 Instance if the user is tagged with the same tags as the resource tags mentioned in the IAM Policy.
So, you have to tag the IAM User making request to SSM, with the key 'Role' and Value set the role name or arn same as ssm document tags.
Related
Can I use string interpolation for the Resource key of IAM statements? I am trying to grant access to a bucket based on the team a user is tagged as.
This statement does not work
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${aws:PrincipalTag/team}.example.com"
}
]
}
If I replace ${aws:PrincipalTag/team} with a hardcoded team name it works as expected.
You can accomplish this by using conditional keys in either the iam role/user's policy or the s3 bucket policy.
IAM Policy
For using conditional keys in the iam policy, you will need to add a statement that limits the users s3 actions to resources that have been tagged with a particular resource tag. This will prevent the user from access s3 objects that do not have a particular tag. One problem that you may discover is that you will then need to make sure all objects you wish to interact with are also tagged.
Example of a iam policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws: aws:ResourceTag/owningTeam": "team1"
}
}
}]
}
s3 Bucket Policy
For using conditional keys in the s3 bucket policy, you will need to add a statement that limits access to the bucket to users/roles with a particular principal tag. The user will still need to have permissions to perform s3 actions, but the resource policy will restrict the access. In addition to condition keys, you can also limit based on the user/role arn.
Example of a bucket policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Principal": "*",
"Action":"s3:GetObject",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition" : {
"StringEquals" : {
"aws:PrincipalTag/team": "team1"
}
}
}
]
}
Since you ultimately want to leverage the tags on the principal, I'd recommend the bucket policy approach.
Resources:
IAM Policy vs Bucket Policy
aws conditional keys
I am planning to implement AssumeRole scenario so below is scenario
user will have ability to create/stop Ec2 instances but not terminate.
To terminate he has to assume role (role to be assumed Ec2FullAccess)
I have done the following
Create a user Test1 with permission to start/stop/launch Ec2 instance and have provided permission to assume role (EC2FullAccess) below is the Policy for user
{
"Version": "2012-10-17",
"Statement": [<br>
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::226904037275:role/EC2FullAccess"
}
]
}
Create a role in same account with name EC2FullAccess which would give permission to terminate Ec2 instance
Ec2FullAccess uses AmazonEC2FullAccess Permission Policy below is its Trust Policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Now when i login as IAM user Test1 and then click on switch role ,i provide below details
Account: 1234
Role: EC2FullAccess
When i click on Switch Role i get Below error
Invalid information in one or more fields. Check your information or contact your administrator.
What is that I am missing
You can create the Role this way:
Create Role
For Type of Trusted Entity, select Another AWS Account and enter the Account ID for the same account (it is displayed in the same menu as the 'Switch Role' command) -- This might seem odd, but it creates the correct principal in the Trust Policy.
Attach desired policies and Save
Then, use Switch Role.
By the way, assigning EC2FullAccess is probably overkill -- it gives permission to do anything in EC2, including deleting VPCs, deleting Amazon EBS volumes, changing network settings, etc. I suggest you create a specific policy that grants TerminateInstances permission, and possibly even reduce that down to specific instances (eg by tag or VPC).
Anyone knows how I can track if IAM pass role action (inside a role) is being used by any services or not? As per AWS document the "iam:PassRole" action is not tracked under IAM access advisor: Refining Permissions Using Service Last Accessed Data - AWS Identity and Access Management
I have this policy inside a IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
}
]
}
In S3, can we create an IAM user and give it rights to create other IAM users?
S3 and IAM are 2 different AWS services. S3 has nothing to do with IAM user creation.
I'll go ahead and assume that you meant creating an IAM user with permissions to create other users.
Yes, it is possible to do so. You just have to attach a suitable IAM policy to the newly created user. Following policy should get you started.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey"
],
"Resource": "*"
}
]
}
The policy specified by Maverick in the above answer can create a new user and create access and secret keys for the user. However, it cannot create or attach any policies to the created user. So, I'm adding the required permission to create and attach IAM and inline policies for IAM users.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateUser",
"iam:PutUserPolicy"
],
"Resource": "*"
}
]
}
Refer this for more information about actions related to Identity and Access Management (IAM) in AWS: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
I'm trying to give IAM users Full api/console access to an EC2 with the tag (key/value) UserName/[their IAM username].
I've tried the policy below which works for some stuff but not others and I can't figure out why it's not working for everything.
user CAN start and stop an instance with a UserName tag set to their IAM username (they cannot do this without the below policy)
user can NOT change instance type on an instance with their UserName tag (which seems to be a ec2:* action)
user can NOT change termination protection on an instance with their UserName tag
My IAM Policy
in addition to this policy, these users also have full read access with the pre-defined AWS policy ReadOnlyAccess.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
I combined pieces from a number of AWS articles to create this policy:
- https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-ec2-console.html