Ir para o conteúdo
Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post
sobre o re:Post

Is it bad practice to allow my IAM user account to allow AssumeRole to every account (wildcard "*") ?

0

I have my AWS Account and I want other people to grant me access to their AWS resources (for example S3). For the following thing to work I want to assume the role that they have created in their accounts. I follow this tutorial - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html?icmpid=docs_iam_console

The problem is that I can't know which users will grant me access to their roles (and their ARNs), so are there any risks and is it bad (and if yes - why) from security and technical point of view to allow my user to assume roles from everywhere by adding this policy:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": "sts:AssumeRole",
			"Resource": "*"
		}
	]
}
Tópicos
Segurança, identidade e conformidade
Tags
AWS Identity and Access ManagementPolíticas do IAM
Idioma
English
feita há 2 anos1,8 mil visualizações
1 Resposta
3
Resposta aceita

It's always best to go with least privileged model and specify only those roles which are required to be assumed. But if your question is more towards cross account assume role, then this is fine, reason being, as long as other account role doesn't add this user in it's trust relationship, this user would not be able to assume other account role anyway.

I've seen developers following this practice to avoid the operational overhead as otherwise, you'll have to add the role every time to this IAM policy when you would need to assume a newly created role in another account. But certainly "*" is not recommended.

Please refer following documentation, which talk about this specific topic in very detail.

Hope this information helps.

Comment here if you have additional questions, happy to help.

Abhishek

AWS
ESPECIALISTA
respondido há 2 anos
AWS
ESPECIALISTA
avaliado há 2 anos
  • backnot
    há 2 anos

    Thanks. Are you aware of certain things that malicious user can do to my account if I allow my account to assume role in the malicious user account? It seems like my account is going to controller their resources, so I should not be worried about my user.

  • secondabhi_aws ESPECIALISTA
    há 2 anos

    Yes, your understanding is correct. As long as you don't allow any of your account role to be assumed by third party unless verified, you are good. You have the access not the other party, that account can revoke your access in his/her account but that account role can't access your account.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Conteúdo relevante