By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ACCESSING SECRET CREDENTIALS

0

I want to create a role in AWS organization account which have permissions to access few security credentials. This role need to be assumed by members accounts to carry out some tasks. They should only have permission to do a particular task. In a way they shouldn't be able to change the task, They can't use the credentials for any other task or they shouldn't have access to print/view the security credentials.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS OrganizationsAWS Secrets ManagerIAM PoliciesIAM Roles Anywhere
Language
English
Keerthi
asked 2 months ago52 views
1 Answer
0

Hi There, You can implement the principle of least privilege for cross-account access.

In your AWS Organization's management account, you can create a IAM role:

    
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::MEMBER-ACCOUNT-ID-1:root",
                    "arn:aws:iam::MEMBER-ACCOUNT-ID-2:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "YOUR-ORGANIZATION-ID"
                }
            }
        }
    ]
}

Then you can create a custom policy for the specific task (example for accessing a specific Secret):


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT-ID:secret:SPECIFIC-SECRET-NAME"
        }
    ]
}

And in the member accounts, create an IAM policy to allow specific users/roles to assume the organization account role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ORGANIZATION-ACCOUNT-ID:role/ROLE-NAME"
        }
    ]
}

Then your users can then assume the role using AWS CLI:

aws sts assume-role --role-arn arn:aws:iam::ORGANIZATION-ACCOUNT-ID:role/ROLE-NAME --role-session-name MySession

This way only member accounts within your organization can assume the role and you can sope the role, so it only has permissions for the specific task needed. The users can't view/modify the actual credentials All the role assumptions are logged in CloudTrail

Additional Best Practices: Use session duration limits in the role trust policy

Regularly review CloudTrail logs for role usage

Use AWS Organizations SCPs for additional restrictions

HTH

AWS
jay-aws
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content