By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Effectively prevent Full Authority Access to Member Accounts in case of Management Account being compromised

0

Hello.

I am currently working as a software engineer, and I am currently on a project to fetch all member account information within AWS Control Tower by using the credentials of the Management Account User I receive from the customers.

I was able to successfully fetch all member account information via the following process:

  1. Create an assumeRole in each member account if role does not exist -> Let's say the Role Name is "exampleRole"
    • the exampleRole has a trust relationship that allows sts:AssumeRole on the Management Account, if provided an ExternalId.
    • the exampleRole also has one policy attached - ReadOnlyAccess.
  2. using the credentials of the management account, get access to the member account via sts.
  3. Using the Policy attached to the role, fetch the member account information

There is a default role named AWSControlTowerExecution Role that is created when a member account is created within the control tower. Since this role is also an assumeRole with AdministratorAccess policy attached, the Management account could gain full admin access of the member account by assuming this role.

The problem occurs when the credentials of the Management account User is compromised. The hacker can easily gain full control of the member accounts linked to the management account via the AWSControlTowerExecution Role.

Is there any possible solution I can follow to reinforce the security perspective of this matter so that I can prevent the hacker from gaining full access to the member accounts as well?

I was thinking of applying IAM fine-grained policy to the Management Account User to narrow down the privileges, but if there's any better solution you can provide I would greatly appreciate it :)

Thank you!

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Control TowerAWS Organizations
Language
English
HumbleLearner
asked a month ago151 views
1 Answer
1

The first recommendation it to add conditions to the trust policy of the role. This limits the principal that can assume it. Further in formation here - https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.html and here - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

As for limiting the full authority the approach recommended is to set up a permissions boundary on the role. You can define the maximum permissions of role and even explicitly deny actions such as modifying or deleting logging buckets or even accessing the audit account all together. You would also want to define in the policy that it cannot perform actions in IAM on itself "NotResource:ROLE" and that it cannot edit the Permissions Boundary "NoBoundaryPolicyEdit". Examples of this are linked below.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

AWS
AWS-User-2960459
answered a month ago
profile picture
EXPERT
Osvaldo Marte
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content