Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

0

The goal is to implement a control similar to an allowlist where only allowed external accounts can assume roles inside the org.

Here’s what I’ve tried:

  • tried restricting the sts:assumerole action in an SCP, but this only works for roles inside the org. From my understanding, since the assumerole is started in the external account, the restriction doesn’t work
  • I also looked into restricting the iam:UpdateAssumerolePolicy action in an SCP to see if a restriction for the action can be implemented where users can only specify certain AWS principals in a trust policy, but there is no condition like this for this action

Is using an SCP the right way to do this? Can this be done with an SCP?

I understand IAM access analyzer can be used to alert on when external roles assume roles inside the organization, but that’s more of a reactive control, and we would like to implement a more proactive control where we specify exactly what external accounts are able to assume roles inside the org.

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access ManagementRichtlinie zur Dienstleistungskontrolle
Sprache
English
Mark
gefragt vor einem Jahr1115 Aufrufe
2 Antworten
4

Try using a Role Trust policy (basically a resource based policy) as below:

{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }

And use the same for all the roles as required.

profile pictureAWS
Sandip Samanta
beantwortet vor einem Jahr
1

This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123456789012"
            },
            "Action": "sts:AssumeRole",
            "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
        }
    ]
}

This example also uses the ExternalId.

profile pictureAWS
EXPERTE
kentrad
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt