Cross account role for multiple accounts

0

We have a BI product which we provisioned on EC2 instances. The only way we can connect to AWS data sources from this EC2 instances is by giving cross account role trust policy. Ec2 is sitting in one vpc and data sources in different vpc's. We have use case to connect to multiple accounts(vpc) data sources, in which case if ec2 role is compromised, it will be able to connect to all the data sources which has the trust. How do we add more access control layers to this?

  • Hello,

    What are the different data sources in other AWS accounts?

  • for eg. Redshift, Athena, RDS, Aurora flavors etc

1개 답변
1

You can consider many extra access control layers. But, as you know, each access control layer requires a corresponding trade-off (Human resources, extra system, management cost).

  • Fine-grained IAM Policy Conditions
    • Limit source IP, source VPC, source Account, or something else.
  • Strengthen security for Assume Role(Trusted Identity) Policy for IAM Role.
    • Limit source IP, source VPC, source Account, or something else.
  • Use application-level AWS STS Tokens instead of EC2 Instance Profile
    • With a solution for dynamic secret(short-live token) like HashiCorp Vault, you can use several small-scoped STS tokens. And just delete your EC2 Instance Profile.
  • Limit access to the EC2 instance with Security Groups and NACLs.
profile picture
전문가
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠