내용으로 건너뛰기
AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post
re:Post 소개

Is it bad practice to allow my IAM user account to allow AssumeRole to every account (wildcard "*") ?

0

I have my AWS Account and I want other people to grant me access to their AWS resources (for example S3). For the following thing to work I want to assume the role that they have created in their accounts. I follow this tutorial - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html?icmpid=docs_iam_console

The problem is that I can't know which users will grant me access to their roles (and their ARNs), so are there any risks and is it bad (and if yes - why) from security and technical point of view to allow my user to assume roles from everywhere by adding this policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": "sts:AssumeRole",
			"Resource": "*"
		}
	]
}
주제
보안, 신원 및 규정 준수
태그
AWS 자격 증명 및 액세스 관리IAM 정책
언어
English
질문됨 2년 전1.8천회 조회
1개 답변
3
수락된 답변

It's always best to go with least privileged model and specify only those roles which are required to be assumed. But if your question is more towards cross account assume role, then this is fine, reason being, as long as other account role doesn't add this user in it's trust relationship, this user would not be able to assume other account role anyway.

I've seen developers following this practice to avoid the operational overhead as otherwise, you'll have to add the role every time to this IAM policy when you would need to assume a newly created role in another account. But certainly "*" is not recommended.

Please refer following documentation, which talk about this specific topic in very detail.

Hope this information helps.

Comment here if you have additional questions, happy to help.

Abhishek

AWS
전문가
답변함 2년 전
AWS
전문가
검토됨 2년 전
  • backnot
    2년 전

    Thanks. Are you aware of certain things that malicious user can do to my account if I allow my account to assume role in the malicious user account? It seems like my account is going to controller their resources, so I should not be worried about my user.

  • secondabhi_aws 전문가
    2년 전

    Yes, your understanding is correct. As long as you don't allow any of your account role to be assumed by third party unless verified, you are good. You have the access not the other party, that account can revoke your access in his/her account but that account role can't access your account.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

관련 콘텐츠