Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Is there any way to block roles outside the AWS organization from assuming roles inside the org using a service control policy (SCP)?

0

The goal is to implement a control similar to an allowlist where only allowed external accounts can assume roles inside the org.

Here’s what I’ve tried:

  • tried restricting the sts:assumerole action in an SCP, but this only works for roles inside the org. From my understanding, since the assumerole is started in the external account, the restriction doesn’t work
  • I also looked into restricting the iam:UpdateAssumerolePolicy action in an SCP to see if a restriction for the action can be implemented where users can only specify certain AWS principals in a trust policy, but there is no condition like this for this action

Is using an SCP the right way to do this? Can this be done with an SCP?

I understand IAM access analyzer can be used to alert on when external roles assume roles inside the organization, but that’s more of a reactive control, and we would like to implement a more proactive control where we specify exactly what external accounts are able to assume roles inside the org.

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Sicurezza, identità e conformitàGestione identità e accesso AWSPolitica di controllo dei servizi
Lingua
English
Mark
posta un anno fa1115 visualizzazioni
2 Risposte
4

Try using a Role Trust policy (basically a resource based policy) as below:

{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole", "Condition": { "StringNotEquals": { "aws:PrincipalOrgId": "${aws:ResourceOrgId}" }, "BoolIfExists": { "aws:PrincipalIsAWSService": "false" } } }

And use the same for all the roles as required.

profile pictureAWS
Sandip Samanta
con risposta un anno fa
1

This can not be done with a SCP. You have to allow this via the Trust Policy attached the role. Something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "123456789012"
            },
            "Action": "sts:AssumeRole",
            "Condition": {"StringEquals": {"sts:ExternalId": "12345"}}
        }
    ]
}

This example also uses the ExternalId.

profile pictureAWS
ESPERTO
kentrad
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente