Restrict access to S3 based on EC2 Instance and User - amazon-web-services

I have seen in earlier posts that I can restrict access to S3 bucket using the EC2 instance IAM Role. But the catch here is, if I have an account with several users in it, I cannot restrict the use of an IAM role to a particular group or individuals within that account. This inability prevents me from blocking anyone in that account to spin an instance using that IAM role.
So my dilemma is, if I have given S3 access based on EC2 Role and cannot lock down the users within an account who can use that role, this opens my S3 bucket to everyone in the account.
Please let me know if there is a way I can, either
(1) Restrict EC2 instances getting spun up using a particular role, OR,
(2) Restrict S3 access based on EC2 Role AND user logged into the instance.

Launching an Amazon EC2 instance with an assigned requires the PassRole permission, which can further specify which roles can be passed to the instance.
By default, you should not give anybody the PassRole permission. You could then assign it to appropriate Users/Groups, specifying exactly which roles they can use.
This avoids the chance that a User within limited permissions can gain extra permissions by launching an instance with a Role, and then using the temporary credentials granted to the instance to do activities beyond their assigned permissions.
This is similar to the AssumeRole permission, which controls who is allowed to assume which roles.
For more information, see: Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission)

Related

How to avoid privilege escalation in AWS?

I'm trying to figure out how to implement three contradicting requirements in AWS
Have a few admins with privileged access to IAM, Lambda, VPC, RDS and EC2.
Keep secret data in SSM Parameter Store that no one except my app can read.
Let admins create and deploy my app.
Things to keep in mind - since my app should be able to read the secret there is an IAM role and policies that grant access to it.
I can deny admins access to the Parameter Store. But that would not stop them from assuming my app role and reading the secret data. What makes it worse is many ways to assume role:
AssumeRole API.
Create EC2 Instance, assign role, login and read secrets under EC2 instance role.
Same with AWS Lambda.
If I deny access to the role they can Create a new role with right set of policies.
If I deny access to policies then they can replicate them.
If I deny access to IAM admins cannot do their job.
Given that many privilege escalation paths how do I protect secret data in AWS?

Query regarding AWS IAM Service

Started recently understanding AWS IAM Roles, Groups, Roles and Permissions.
I understood that groups will be added with some Permissions and whoever the users got added into that group, will have an access to those specific AWS services provided in that group. Where as Role is used to provide an access from one Service to Other. (Say Lambda wants to have an access for CloudWatch).
My Query is: Suppose if Group (say 'dev') have added only 2 Permissions policy (say S3FullAccess, LambdaFullAccess)
and Role created for Lambda Service (having Permission policy "cloudwatchFullAccess"), then does a user from 'dev' group can able to access 'cloudwatch' service?
EDIT:
Another query: I didnt understood on How do we map Users/Groups to only specific Roles? orelse does Roles can be accessed by every user/group (assuming Permission policies already added in Groups of those services mentioned in the Roles)? Please clear me this too
The permissions from the role are only allowed by a principal (IAM user/IAM role/AWS Service) that has assumed the role. If your user had the permission to assume that IAM role and did it, then yes they would have those permissions.
However based on the policies they have they cannot assume the role, but Lambda (assuming it has a trust policy in place) can assume the IAM role in question.
This means that Lambda can perform any CloudWatch interactions, which would allow a user within the dev group to add code that interacts with CloudWatch within the Lambda function and then when triggering the Lambda function see the output of it.
They would not however be able to see the CloudWatch interface within the console, or directly interact with it on the AWS CLI.
To explain the difference between users, groups and role:
An IAM user is an entity with which you can interact directly through the console or CLI. It requires credentials to perform these interactions and gains its permissions from policies. It is generally advised not to use these for applications that reside in AWS.
An IAM group is an entity to group similar IAM users, providing them the same permissions. This allows a hierarchy to be easily maintained. No entity can become a group, it is an assignment to an IAM user.
An IAM role is similar to a user, in that it can interact with the console or CLI. However, to do this it must be assumed, which will provide the entity that assumed it with temporary credentials. An AWS service that assumes the role manages these temporary credentials for you.
For a user to assume the role, 2 things would need to be in place. The role would need to have a trust policy that enables the principal of the IAM user (or account) to assume that role. In addition the user would need to have permission to perform the sts:AssumeRole action on the IAM role resource.
More information about this can be found in the Granting a User Permissions to Switch Roles
documentation.

How can I allow an AWS cross account user to create and keep an RDS snapshot?

My business partner has created an Amazon AWS RDS instance in his account. In the event that he is incapacitated, how can I access the RDS instance and take and use a snapshot without having his admin credentials?
I see a way to share a manually created snapshot but that's not what I want. I need at any time to be able to create and extract a snapshot without permission barriers. Can this be handled by IAM?
You will need one of:
An IAM User in their account that has permissions to create and extract the snapshot. When necessary, you would login to his user and access the data. OR
An IAM Role in their account with the necessary RDS permissions, with a Trust Policy that allows your IAM User in your Account to assume that role, so that you can then create and extract the snapshot.
Either way, they are granting you permissions to perform those steps. They should limit the permissions granted so that you can't accidentally or intentionally do damage (eg delete the database).

Is it possible to access Redshift with an IAM role from another account? how?

We’re trying to implement Redshift with authentication via SAML.
In our case, we have many AWS accounts and the Redshift cluster is in one of them. We need to viabilize the access via roles from these accounts to the one that hosts the cluster. Discarding the necessity of having to manage user/password.
The way we implemented it’s already possible to login using IAM roles, but we still need the cross-account.
Does anyone knows if it's possible ?
Since you already have signin working with IAM roles, the process would be:
Amazon Redshift in Account-A
IAM Role (Role-A) in Account-A that has:
Permission to access Redshift via IAM (I think it's just permission to call GetClusterCredentials?)
A Trust Policy allowing the Role to be assumed by specified other accounts (or specific roles in those accounts)
Other accounts wanting to access Redshift will:
Call AssumeRole() to assume Role-A
Use the returned temporary credentials to access Redshift using Role-A
Thus, Redshift only ever sees a login being requested from Account-A.

AWS Which IAM Role For S3 Presigned URL

I am deploying a server program in an ec2 instance which needs to be able to create pre-signed urls for s3. So far I've had my AWS credentials in environment variables for testing, but I would like to switch to the IAM Role strategy now. However, I am unsure as to which policies the role should have access too. My initial guess is to have AmazonS3FullAccess, but the description says "Provides full access to all buckets via the AWS Management Console" but the ec2 instance will be using the c++ sdk, not the management console. Or is the policy not important, just that it has a policy so it gets credentials somehow?
You're confusing policies and roles.
a policy grants permissions to a user or to a role or to a group.
the difference between a user and a role is subtle, but basically a role is something that's assumed by other services in AWS, like an EC2 instance, while a user is generally just an identity you've created for use in AWS.
The policy description for full access may make mention to the management console, but it grants full access to all buckets whether through the console, the api or an sdk, they're all really the same thing under the hood.
You should not use the fullaccess policy. You could use it as a base to build your real policy, but IAM should always use the least privilege principal, where you only give the permissions that are absolutely required, in this case the role only needs read and possibly list permissions on the specific bucket in question if generating urls for reading, or put permissions if allowing uploads.