I have one group in AWS as Incident-Security-operation, this group has only read-only permission to all the AWS account. But I want to give full permission or administrator to one account and read-only permission and to the rest of the accounts. Can you please help me to write permission with the condition for the particular account. I tried ArnLike and ArnEqual but didn't work for me. We integrated with AD for SSO
Regard IAM users and group, best practice for this use case is to implement two IAM groups eg Incident-Security-operation and Incident-Security-operation-admin, and give permissions to each as needed. Then you assign users to each group as needed.
This approach fosters much better security posture than conditioning permissions in a single policy.
From an operational standpoint, its much easier, and more transparent, to move users between the appropriate IAM groups, than to manage conditional logic in the policy syntax. Using IAM groups also means user membership in each group is easily auditable.
Related
Related to AWS:
I've been trying to search for an answer about the Users and Groups that I have created using IAM (AWS), how can I map those Groups with the Organization Unit(s)?
For example: I have a Group called 'Developers' where Users (say 5 Users) are member of it.
Now, I have an Organization Unit of 'ApplicationsDevelopment&Services' where I need to give access to 'Developers'. Can I associate Groups with OUs, so that members of that Group get necessary access.
I have some policies (SCP) applied on that OU, to manage the access boundaries of Developers.
Please suggest if there is a way to do it or something else needs to be done like ActiveDirectory setup (whole new setup)?
Thank You,
Varun Gupta
I recommend to have a look into AWS SSO (https://aws.amazon.com/single-sign-on/?nc1=h_ls). It comes with no additional cost, is enabled with one click and lets you easily assign cross-account role access to Groups/Users.
Going with an IAM Group which you like to have access to all accounts inside one OU, create roles inside those accounts with a trust relationship to the user/group account. You can use a CloudFormation StackSet to enroll the Stack on OU level. Allow sts:AssumeRole for the particular group, resource section pointing to the role you deployed through the StackSet (leave the account_id blank).
Then everyone inside the group should be able to assume the role and deployment of the cross-account role is centralized.
AWS Org SCPs have account or OU scope, they are not for individual IAM users or roles. From aws blog:
Central security administrators use service control policies (SCPs) with AWS Organizations to establish controls that all IAM principals (users and roles) adhere to.
At the account level, a similar type of maximum permissions gourds on individual users or roles (not groups) can be set using permission boundries. Thus, if you have any roles mapped to your uses through AD, you can look at attaching permissions boundaries to them. But, note that permissions boundaries are an advanced IAM topic, thus its not clear for me how exactly they would apply to your use-case.
I am trying to understand why you need IAM "roles" to access a resource in a different IAM account, and why AWS can't just do the same thing with IAM groups.
Whenever I ask people this question the conversation just seems to go in circles:
Them: "To grant access to a resource to users in another IAM account, you have to give them permission to assume an IAM role, and then grant that IAM role access to your resource."
Me: "I understand that, but why can't you just create an IAM group that can access that resource, and then add those users from the other account to your IAM group?"
Them: "You can't add users from another AWS account to an IAM group in your account."
Me: "I understand that too, but why does AWS only let you do cross-account permissions like that by using roles? Why wouldn't it make just as much sense for AWS to let you create an IAM group and then let you add IAM users from other accounts into that group?"
There's probably some simple one-sentence piece of information that explains why it has to be this way, and once someone tells you, it all makes sense, but it's not in the documentation and I don't know what it is. What is it?
I would say security is main reason. IAM roles provide only temporary credentials. Using such credentials whenever possible is good practice for security reasons.
Off course you can also create IAM user in your account, and give the associated access keys to people form the other account. And sometimes this is preferred, e.g. to enable read access only to some resources. But the issue is that IAM user credentials are permanent, unless manually disabled or deleted. For security reasons giving away permanent credentials to your account is not a recommended practice.
From docs:
We recommend using this approach to enforce the principle of least privilege. That means restricting the use of elevated permissions to only those times when they are needed for specific tasks. With roles you can help prevent accidental changes to sensitive environments, especially if you combine them with auditing to help ensure that roles are only used when needed.
The one-sentence answer is that Amazon chose to do it that way.
From an operational perspective, it simplifies life considerably if you associate an access key with an account. The alternative is to specify an account separately with every request.
From an organization management perspective, trees are easier to understand than forests. What I mean by that is that everything branches off the account's IAM root. If you allow arbitrary users across the AWS universe to have access to arbitrary resources within arbitrary accounts, you end up with a management nightmare.
As a sidebar to that last comment, the early AWS services had resource-based policies. These are now discouraged in favor of identity-based policies, and newer services don't have resource policies.
Lastly, from a security perspective, a multi-tenant environment is a lot easier to control if you establish a hard wall around each tenant.
I am currently learning AWS, and I stumbled upon this scenario where I want to grant access to a service to a user within the same AWS account as mine, using Roles.
So here is the detail of the scenario I am thinking of,
I am currently an admin IAM user 'A'. There is another IAM user 'B' with no access to EC2 service (infact he has access to nothing in AWS!).
I want this user B to temporarily have read-only access to EC2 instances. So I create a role, and attach a policy 'AmazonEC2ReadOnlyAccess' to it.
Now, I want 'B' to switch to this role when he logs in, so that he can view Ec2 instances.
I am aware that this can also be done by creating a group and assigning the policy to that group, and then adding this user 'B' to that group.
But I want to do this using roles.
I am not sure if this is even possible in AWS (or worse if this scenario itself is valid?), because the documentation only speaks about cross-account role switch.
Can anyone help me understand this, and let me know if this is even possible and what I need to do?
I'm not sure why you would do it like this rather than either:
Applying the role to a group and adding the user to a group
Applying the policy directly to a user.
I think you CAN do what you're trying to achieve, but only by giving the user permission to assume a role via a policy, which would mean you would have to give the user permissions via a policy or group anyway (I'm also not sure if this works for roles within the same account) - in this scenario it just makes more sense to apply the policy to the user directly, rather than doing switch roles.
If you really want to go ahead and use switch roles for this, you should be able to modify the guide here to allow you to do so:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
If you wish to add an IAM user you simply attach the user to the roles trusted entity directly, for an IAM user group it is more complicated.
An additional policy is required to add the IAM user group to the role, as it is otherwise not possible to add IAM user groups to roles. As a result you have 2 policies for each permission to give rather than just 1.
UserGroup → Policy#1 → Role → Policy#2
Policy#1 is attached to the UserGroup and has a sts:assumeRole permission for the Role
Role has a trusted entity for the account it is actually in eg. arn:aws:iam::AWS_ACC_ID:root
Policy#2 has your actual permissions, and is attached to the role.
I have users that have been added by other admins in my AWS account. I am afraid that these users might get deleted by other people.
Is there a way to add a description to an IAM user?
I don't see any way to add description/tag when you create an IAM user. One suggestion is to create a IAM group for each admin and add the user to the admin's group when a user is created/added. You can have group(s) with no policy attached.
There is currently no way to add a description to a user. There are a number of better ways to solve your core issue however. Some of the IAM Best Practices specific to your use case include:
Use AWS Defined Policies to Assign Permissions Whenever Possible - AWS-managed policies are designed to support common tasks, such as deleting and creating users. Assign these policies to the users that need them.
Grant Least Privilege - Granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. This is probably the most important factor in preventing users from being deleted accidentally.
Monitor Activity in Your AWS Account - You can use logging features in AWS to determine the actions users have taken in your account, including deletion of users either accidentally or on purpose. Two very useful tools you should be using in this regard include:
AWS CloudTrail - CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, including user deletions.
AWS Config – Provides detailed historical information about the configuration of your AWS resources, including your IAM users, groups, roles, and policies.
As you can see, utilising the built-in tools that AWS provides can assist you in preventing administrators from deleting users unnecessarily.
As a workaround, you can add a TAG to your user with its key named "DESCRIPTION" and put in the description as a value. Note that for the value, you are very limited to the characters you can use. For instance, you cannot use the apostrophe ('). But it is better than nothing.
The AWS official site reads role as a collection of permissions and group as a collection of users. But still they look the same to me. You attach policies to groups or roles, and then assign groups or roles to a user. What exactly are the differences between role and group?
Short answer for googlers: you can't assign role to user.
group is a bunch of users with the same policies
role is a preset of policies for service(s)
Users can asume roles according to AWS docs:
Assuming a Role
AWS Groups are the standard groups which you can consider as collection of several users and a user can belong to multiple groups.
AWS IAM Roles are all together different species; they operate like individual users except that they work mostly towards the impersonation style and perform communication with AWS API calls without specifying the credentials.
Given that IAM Roles are little different, I am emphasizing only that. There are several types of IAM Roles like EC2 IAM Roles, Lambda etc. If you consider, you can launch an EC2 instance with an EC2 IAM Role; hence forth any AWS API related communication wouldn't require any AWS Access Key or Secret key for authentication rather can call the APIs directly (however the long answer is - it uses STS and continuously recycles the credentials behind the scenes); the privileges or permissions of what it can do is determined by the IAM Policies attached to the IAM Role.
Lambda IAM Role works exactly the same, except that only Lambda function can use the Lambda IAM Role etc.
Users: End User (Think People).
Groups: A collection of users under one set of permissions (permission as policy). As per IAM standards we create groups with permissions and then assign user to that group.
Role: you create roles and assign them to AWS resource (AWS resource example can be a customer, supplier, contractor, employee, an EC2 instance, some external application outside AWS) but remember you can't assign role to user.
It’s not only users who will login, sometimes applications need access to AWS resources. For example, an EC2 instance might need to access one or more S3 buckets. Then, an IAM role needs to be created and attached to the EC2 instance. That role can be re-used by different EC2 instances.
Remember : Groups are for living. Roles are for non-living.
I think of an AWS Role as a kind of 'sudo', where each AWS Role can temporarily provide a very specific set of elevated privileges, but without needing the elevated credentials. I get the impression that like sudo, AWS Roles try to prevent privileged actions being used accidentally.
I'd be interested to hear if others agree with this analogy.
Please note that Groups are specific to local IAM users, which are not federated, and local IAM user logs do not show who has done the actions (i.e.., multiple people or applications could use the same long-term secret/access keys, and there is no record of which entity used them). If you must use local IAM users, you can place them into IAM Groups. Where this can be especially useful is to serve as a boundary -- you could place a deny policy on the group, restricting access to specific services or actions, and that deny policy will be applied to all users in the Group.
Conversely, roles can be federated, whereas local IAM users are not. You might create an on-premises AD group that serves as a member container, for example, and then the members of that AD group (and only they) can use the role that the AD group correlates to, with whatever allow or deny policies and/or permissions boundaries you've applied to the role. (Here is a link explaining the AWS ADFS federation.)
Importantly, roles allow for temporary session credentials (which is a best security practice), as their session tokens expire after a maximum of 12 hours. Equally importantly, roles do show in the logs which of the AD members with access to use the role actually did the action. You'll find this tacked to the end of the role ARN in the logs (e.g., a user ID). CloudTrail would be one of several services that indicate user activity. This is important from a logging standpoint.
Understanding IAM roles vs IAM groups (IAM indentities) is very important foundational concept . Its important to look at difference between IAM role and IAM user as essentially group is just a bunch of users performing similar functions (eg. group of developers, QA's etc.) Roles are not uniquely associated with one person (user), they can be assumed by user,resource or service who needs it to perform task at that point of time (session). Roles do not provide long-term credentials like password or access keys.
Best practice recommendation is to require workloads to use temporary credentials with IAM roles to access AWS
Please refer to link below for more clarity:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html
I was confused all the time about the difference between these two functions.
In short,
Role is like a tag with all the preset policies that can attach on IAM users/groups or AWS services. IAM users share the same account with the account root user (Admin) but with assigned permissions by the root user to use AWS resources within that account.
Therefore, IAM users can directly interact with AWS services; whereas IAM roles cannot make direct requests to AWS services, they are meant to be assumed by authorised entities like an IAM user or an instance. https://aws.amazon.com/iam/faqs/
I had a hard time deciphering the spirit of the given answers..
Here's what I've found:
Groups:
Intended to represent human users created within IAM who need identical policies.
Ex. Dev 1 - Dev 8 are all developers, and all need access to create dev servers.
This is similar to traditional desktop users/groups, but for HUMAN users only.
Roles:
Roles rotate automatic credentials, meaning password input isn't needed for accessing policies.
This makes it good for two things:
Giving permissions to non-humans, such as services / applications.
Ex. EC2 of type A needs access to S3 of type B.
Giving permissions to federated / outside users & groups.
Ex. Contractor A # Outside Company A needs access to your Server A.
Authentication of users & groups are handled by some service, like Azure AD.
Authorizations are then mapped to your IAM role(s), NOT users or groups.
Note: I've used Jumpcloud's Article & AWS's Documentation to gather this information. The terms "Group", "Role", and "User" become overloaded in context to SSO+IdP, and IAM.
Here's an image showing how they map roles. !Need 10 Reputation :(
Aside: There is a way of assigning Roles to normal IAM Users & Groups, but it appears to be bad practice.
Hopefully this provides clarity to the answers above.
Only one IAM Role can be assumed at a time! And there are several
situations which fits exactly this kind of permission.
Read the faq about: How many IAM roles can I assume?
The underlaying tool in use is "Permission" in both of the use cases namely: Group and IAM Role.
Group or IAM Role --> Has Policy --> Policy defines permisions --> Permissions are assigned to a Group or IAM Role.