By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Allow a specific ECS service to assume a role

0

I have an ECS cluster that has multiple services on running on shared EC2 instances in an ASG

1 service in that ECS cluster needs to have access to sensitive data and I have created a IAM Role with the relevant permissions and set the Task execution role on the task definition to use that role.

The task can be ran and works as expected. However currently any service could assume that role and get access to the sensitive data. Therefore what I am trying to do is only allow the specific ECS service that is using that task definition to be able to launch the task with that role set BUT prevent any other service from the ability to assume that role. I've tried to set the Role trust policy like the policy below (removed region and account number to post here) but I get an error about it not able to assume the role.

I must be doing something wrong but I've tried a few variations and not had any luck with it

Error being received service Testing-MyECSService-JWT8oLXZcxmb failed to launch a task with (error ECS was unable to assume the role 'arn:aws:iam::*:role/Testing-Role-TExnOfA3wuhG' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.).

Trust Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ecs.amazonaws.com", "ecs-tasks.amazonaws.com" ] }, "Action": "sts:AssumeRole", ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:ecs:*:*:service/Testing-ECSCluster-4Ol5fxDIgQ9o/Testing-MyECSService-JWT8oLXZcxmb" } } } ] }

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Identity and Access ManagementAmazon Elastic Container Service
Language
English
User1
asked 3 months ago422 views
3 Answers
1

Hi,

You can assign tag to your service and then restrict your role policy with a condition on this tag like done on this page (although for a different purpose): https://docs.aws.amazon.com/AmazonECS/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-view-cluster-tags

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeServices",
            "Effect": "Allow",
            "Action": "ecs:DescribeServices",
            "Resource": "*"
        },
        {
            "Sid": "ViewServiceIfOwner",
            "Effect": "Allow",
            "Action": "ecs:DescribeServices",
            "Resource": "arn:aws:ecs:*:*:service/*",
            "Condition": {
                "StringEquals": {"ecs:ResourceTag/Owner": "${aws:username}"}
            }
        }
    ]
}

You also have a more sophisticated example, still using tags, in this blog post: https://aws.amazon.com/blogs/security/control-access-to-amazon-elastic-container-service-resources-by-using-abac-policies/

Best.

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 3 months ago
1

Hi,

That's a good idea to restrict IAM role to only 1 ECS service. But given that you've an issue in setting up the trust relationships.

Why don't you try restricting the IAM permissions at the resource level(ECS service here) while creating IAM policy which is attached to the role. Ex: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-summary-examples.html#example6

After selecting the required actions, enter the resource arn(ECS service ARN here), such that the above actions/permissions will only be applied to that resource.

Let me know if you have any questions.!

profile picture
Bhuvan Prasad G
answered 3 months ago
0

Thanks both for coming back to me I did consider using tags however the problem with that is that if anyone added the same tag to another area they would also be able to assume the role so isn't secure enough to meet the requirements I've been given.

For setting the permissions at the resource level unfortunately the resource is a key in KMS which only allows you to use roles and users to restrict access from what I have been able to see which is why my thought was to restrict which specific ECS service\task can assume a role that has access.

User1
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content