cross-account delegation in aws
TRANSCRIPT
Cross-Account Delegation in AWS
James Wing, Founder @ BatchIQNovember, 19 2015Seattle AWS Architects & Engineers
Agenda• Three methods for cross-account access• Pros and Cons for each method• Setup• Security• Logging
• Advice for consumers and providers
Cross-Account Delegation Methods
1. Create user
2. Add policies
3. Give API keys to vendor
4. Vendor uses keys to access services
IAM User1. Create role
2. Add policies
3. Create trust policy with vendor account # and external ID
4. Give role ARN to vendor
5. Vendor assumes role to access services
IAM Role1. Add policy to resource
(S3 bucket)
2. Give resource ARN to vendor
3. Vendor accesses resource with own creds
Resource Policy
Resource-based User-based
Comparing MethodsResource Policy IAM User IAM Role
AWS Coverage S3, SQS, SNS, … Everything Everything
Setup Simplest Simple Complex
Security Most Secure Secure More Secure
Logging Service-specific CloudTrail CloudTrail
Less-Simple
AWS Approved
Are Roles Complicated?• Users and Roles have a lot in common:• Both are security principals• Name• IAM Policies
• Roles have Trust Policy:• Vendor AWS account ID• External ID (optional)
• Role is harder to verify and troubleshoot• Equally easy for vendor to use with AWS SDKs
Security• It’s all good on the happy path•What happens if vendor is hacked, creds exposed?• IAM User keys can be used by anyone, anytime until cancelled• IAM Role trust policy restricts use to vendor’s account• Resource-based policies may reference specific accounts
• Resource policies limited to context of resource (S3 bucket, SQS queue, etc.)
Logging (CloudTrail)
UserRole
Session Name from sts:AssumeRole
CloudTrail Entry JSON
Advice for Consumers• Use resource-based permissions for S3, SQS, SNS where it fits• Prefer Roles• Turn on CloudTrail• Be careful of ReadOnlyAccess
Advice for Vendors• Insist on Roles• Don’t get busted storing API keys• Exposed keys == doom
• Check how you look in CloudTrail• Plan for updating access permissions• Provide CloudFormation template for Role setup
Cross-Account Access ReferencesUsing Roles for Cross-Account Access• AWS re:Invent 2014 Video - (SEC305) IAM Best Practices (Roles at ~22:30)• AWS Security Blog: Delegating API Access to AWS Services Using IAM Roles• Providing Access to AWS Accounts Owned by Third Parties • How to Use an External ID When Granting Access to Your AWS Resources to a Third P
arty• How IAM Roles Differ from Resource-based Policies
Using Roles from the CLI (great for testing!)• AWS CLI User's Guide: Assuming a Role• Using Temporary Security Credentials to Request Access to AWS Resources