Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

RDS IAM Auth + SSO Users

0

Hi all,

I have 2 accounts:

  • Mgmt (SSO enabled)
  • Development (RDS)

I have SSO configured with a group (team_leaders) and permission set (TeamLeaderAccess).

Are part of this group:

  • john
  • michael

I've configured a RDS DB (Postgre) with IAM Auth and created these users into the database.

Now I'm trying to configure the Permission Set with this policy:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../*"
}

In this case, John is able to get his SSO credentials and log-in into RDS as john AND michael (impersonation), because I have this "/*" in my policy.

On the other hand, if I replace that by:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../john"
}

Michael won't be able to log in.

How to setup a policy per user?

Has anyone faced this scenario and found a solution for it?

Thanks,

Themen
Sicherheit, Identität & KonformitätMigration und ModernisierungAnalysenDatenbank
Tags
AWS Identity and Access ManagementAmazon Relational Database ServiceAWS IAM IdentitätszentrumIAM-Richtlinien
Sprache
English
Emmanuel
gefragt vor 3 Monaten371 Aufrufe
1 Antwort
1
Akzeptierte Antwort

It's possible to simplify the management of AWS RDS access while leveraging AWS Single Sign-On (SSO) using dynamic IAM policies. Here's a quick guide:

  1. Goal: Enable secure, user-specific access to AWS RDS databases, preventing impersonation.
  2. Strategy: Utilize AWS SSO with dynamic IAM policies, incorporating the ${aws:username} variable to align SSO usernames with database usernames.

Implementation:

  1. Activate AWS SSO ABAC: Allows for dynamic permissions based on user context.
  2. Configure a Dynamic IAM Policy: Insert ${aws:username} in the policy to ensure users can only access their database user.
{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../${aws:username}"
}

Note: Ensure Consistency between SSO usernames and RDS database usernames. This alignment is critical for the dynamic policy to function correctly.

Additionally, you have the option to conduct tests by utilizing the IAM Policy Simulator, which allows for the simulation of permissions and actions for each user within the group. For more detailed analysis, you can access the tool directly at https://policysim.aws.amazon.com/home/index.jsp.

Using the policy to validate users

Resources:

  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/attributesforaccesscontrol.html
profile picture
EXPERTE
Osvaldo Marte
beantwortet vor 3 Monaten
profile pictureAWS
EXPERTE
Didier_Durand
überprüft vor 3 Monaten
  • Emmanuel
    vor 3 Monaten

    Hi Osvaldo, obrigado!

    I have the SSO ABAC enabled now, but I haven't created any new attribute.

    I'm using the ${aws:username} variable in my PermissionSet's inline policy, but it's not working.

    Do you know if it's possible to use this variable in my permission set or should I create a customer managed policy - and move this policy block - in my Dev account?

  • Emmanuel
    vor 3 Monaten

    It worked by creating a custom attribute (Username) on ABAC panel, and using this in the policy: ${aws:PrincipalTag/Username}

    Thank you for helping!

  • Osvaldo Marte EXPERTE
    vor 3 Monaten

    Your welcome!, glad to see it worked

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt