IAM – thetrainit

July 2, 2020July 2, 2020

Switching Roles Using the Console

This walkthrough uses a role to delegate access to resources that are in different AWS accounts. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don’t need to create individual IAM users in each account. In addition, users don’t have to sign out of one account and sign into another in order to access resources in different AWS accounts.

This walkthough requires 2 accounts. They do not have to be in the same organisation, but can be.

In later posts, I expand on the scenario by using the same concept for CLI access, but using the console is a good place to start before looking at that.

I will call the accounts “the trusted account” and “the trusting account”. The trusting account contains the resources that the user in the trusted account will access.

In the trusted account we will create a role which can be assumed by a user in the trusting account.

To keep it simple, I will attach an administrator access policy to the role. In real life, you would use the principal of least privilege, for example, if the user only needs access to an S3 bucket, then the policy would only allow that.

It will be useful to use a text editor as a scratch pad so you can copy and paste the two account ids, and names of roles and policies that you create.

Account ids can be seen from “My Account” in the drop down menu below the logged in username in the top right of the console.

I assume you have an IAM user with full admin rights set up in each account.

In the trusting account:

Navigate to IAM,Roles, Create Role.

For “Select type of trusted entity”, select “Another AWS Account”

Supply the account ID of the trusted account, and click Next.

For “Attach permission policies” select “AdministratorAccess”.

I named the role “CrossAccountRole”

The role now has two policies: the “AdministratorAccess” policy, and a Trust policy. To see the trust policy, select the role, click on the “Trust Relationships” tab, and click “Edit trust relationships”. It will be similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<trusted account id>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

This policy allows a user in the trusted account to potentially assume the role. However, they still need permissions in order to assume the role. Any user with Administrator Access in the trusted account has such permissions. They would also be able to give other users permissions to assume the role. This is called delegation, which we will see how to do later.

In the trusted account:

In the top right of the console, below the logged in user name, select “Switch Role” from the drop down menu.

Supply the account id of the trusting account, the name of the role “CrossAccountRole”, choose a display name, and click “Switch Role”. You are now logged in to the trusting account with Administrator rights. From the same drop down menu in the top right, you can choose “Back to <username>” to switch back.

And that concludes the first part of the walkthrough.

In real life, you would use the principal of least privilege. The cross account role in the trusting account would allow only the required permissions, and the user in the trusted account does not need to be an admin in the trusted account.

To see how an ordinary, non admin user could be given permissions to assume the role:

In the trusted account:

Create a policy. For service, choose STS. For “Access Level”, choose Write, then tick AssumeRole. For resource, choose Specific. You are given a friendly way to generate the ARN by supplying the trusted account id and the name of the role in the trusted account.

Click Review Policy and supply a name for the policy. I called it “AssumeCrossAccountRole”

The policy will look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<trusting account id>:role/CrossAccountRole"
        }
    ]
}

Create a user. I named the user “TrustedUser”. Allow Console Access, and click Next. Choose “Attach existing policies directly” and select the policy “AssumeCrossAccountRole” just created.

To test it, login to the trusted account as “TrustedUser”. We gave minimal permissions for the “TrustedUser”, just enough to assume the role, so you will see many permissions warnings. However, you can choose “Switch Role”, supply the details, and gain access to the trusted account as before.

IAM is a free service, but if you want to clean up:

In the trusted account:

Delete the user “TrustedUer”

Delete the policy “AssumeCrossAcccountRole”

In the trusting account:

Delete the Role “CrossAccountRole

August 27, 2019August 27, 2019

Permissions Boundaries

There is one slide in the “Security Engineering on AWS” course about Permissions Boundaries. The text is as follows:

A permissions boundary is an advanced feature in which you limit the maximum permissions that a principal can have. These boundaries can be applied to AWS Organizations organizations or to IAM users or roles.

As the IAM administrator, you can define one or more permissions boundaries using managed policies and allow your employee to create a principal with this boundary. The employee can then attach a permissions policy to this principal. However, the effective permissions of the principal are the intersection of the permissions boundary and permissions policy. As a result, the new principal cannot exceed the boundary that you defined.

When you use a policy to set the permissions boundary for a user, it limits the user’s permissions but does not provide permissions on its own.

It might be a challenge to understand the use case and how it is used in practice. There is a helpful blog post here.

Say you have a development team with full access to certain services, but no access to IAM.

Say you want the developer to assign a role to EC2, and you want them to create the role, a policy, attach the policy to the role, and attach the role to an EC2 instance. That is a lot of permissions, and instead we want to keep to the principal of least privilege.

The example in the blog post is lengthy to set up, so I simplify a bit here, and omit the JSON for brevity (see the referenced blog post above for the detailed steps)

The admin does the following tasks:

First the admin creates a boundary policy “DynamoDB_Boundary_Frankfurt“. The policy will allow put, update, delete on any table in the Frankfurt region.. Employees will be required to set this policy as the permission boundary for the roles they create.

Create “Employee_Policy”. This policy will allow the employee to create roles and policies, attach policies to roles, and attach roles to resources. However the admin wants to retain control over the naming conventions of the roles and policies for ease of auditing. The roles and policies must have the prefix MyTestApp. Also, there will be a condition that the above permissions boundary policy must be attached to the role, otherwise the role creation will fail.

Create a role “MyEmployeeRole” and attach the “Employee_Policy”.

Create a policy “Pass_Role_Policy” to allow the employee to pass the roles they create to services such as EC2.

Attach the policy to “MyEmployee_Role”

The Employee does the following tasks:

Create a role “MyTestAppRole”. The employee must provide the permissions boundary “DynamoDB_Boundary_Frankfurt”, otherwise the role creation will fail. The policy will allow EC2 to assume the role.

Create a policy “MyTestApp_DDB_Permissions” allowing all DynamoDB actions on a specific table MyTestApp_DDB_Table.

Attach the policy to “MyTestAppRole”

To summarise, the administrator created a permission boundary allowing DynamoDB put, update, delete on all resources in Frankfurt.

The employee created a policy which allowed all actions on a specific table with no region restriction.

The effective permission is to allow put, update, and delete on the specific table MyTestApp_DDB_Table in the Frankfurt region.

June 5, 2019June 5, 2019

IAM Policies with MFA Conditions

For certain actions like stop or terminate an instance, you might require MFA, while for less potentially destructive actions like describe-instance, you might not require MFA.

For a simple test of this, I used this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

I made 2 users, UserMFA and UserNoMFA, both with console access.

For UserMFA, I enabled MFA using Google Authenticator for iPhone. If you havn’t done this before, create a user, then go to the Security Credentials tab and you are guided through the process, which involves pointing the iPhone camera at a QR code and entering the two 6-digit codes which appear on the iPhone app.

Attach the policy to the two users.

Log in as UserMFA. The user can see the EC2 instances because they have describe-instance permission, and can stop an instance because they are logged in using MFA.

Log in as UserNoMFA. The user can see the EC2 instances because they have describe-instance permission, but cannot stop an instance because they are not logged in using MFA. They receive the following error:

The same concept can apply to use of CLI and APIs, rather than the console, but that’s another story.

November 1, 2018

IAM Policy Simulator

Lets say a user sees an Access Denied message when trying to access a resource, for example S3.

This is likely the result of a policy applied to the user, or the users group, or it could be a bucket policy. Or it could be that the user or group has no explicit permissions at all.

One way to troubleshoot the issue is to use the IAM Policy Simulator.

I am already logged in as an admin, and it displays a list of users in my account.

Select the user, and simulate an action, here I select S3 as the service.

For the actions, I select “All Actions” (you can also choose a specific action on a specific bucket) and click Run Simulation.

It will list which actions are allowed or denied. You can drill down on any denied action and it will display the policy and even the section of the policy which is denying access.

In this case the user was in a group with the “AdministratorAccess” policy, but the above policy applied to the user was overriding the Allow.