By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Indirect permissions with service-linked roles

0

Hello, I am creating the assumed roles for the **users **of my organization. I am attaching an **AWS managed **policy such as arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess. I have seen that this policy has the following statement:

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com",
                        "kinesisreplication.dynamodb.amazonaws.com".
                    ]
                }
            }
        }

So is supposed to "Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf." If I wanted to create a custom policy for a user role, and include a statement as the example.

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        **"s3.amazonaws.com",**
                        **"lambda.amazonaws.com",**
                        "dynamodb.application-autoscaling.amazonaws.com",
                    ]
                }
            }
        }

  1. What impact would these service-linked roles have for the user who assumes this role with this attached policy? Would the user have indirect permissions for lambda or S3?

  2. Would it be good practice to use service-linked roles? Or should it be used only for service roles?

ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
diego-toro
asked 8 months ago286 views
1 Answer
1
Accepted Answer

Service linked roles (SLR) can be assumed only by AWS services to call other AWS services on your behalf. The permissions in the second policy allow an IAM principal to create the SLR for the specific services. Once that the SLR are created, the respective AWS services can operate in the account. Without the required SLRs, the respective services will not work.

Service Linked Roles and Service Roles are very different: you control Service Roles and their policies, while Service Linked Roles are managed by AWS - you can only allow the creation of the SLR, but you can't control their policies. For example, AWS Lambda can use service roles for allowing a function to access AWS services: you will define what permissions are required by your application. On the other hand, to create an Amazon EKS cluster you must have an SLR that allows EKS to create the required resources. If the SLR required by EKS does not exist in the account already, and the principal trying to create the EKS cluster does not have the permissions to create the SLR, then the creation of the cluster will fail.

AWS
Roberto_M
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content