By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

RDS IAM Auth + SSO Users

0

Hi all,

I have 2 accounts:

  • Mgmt (SSO enabled)
  • Development (RDS)

I have SSO configured with a group (team_leaders) and permission set (TeamLeaderAccess).

Are part of this group:

  • john
  • michael

I've configured a RDS DB (Postgre) with IAM Auth and created these users into the database.

Now I'm trying to configure the Permission Set with this policy:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../*"
}

In this case, John is able to get his SSO credentials and log-in into RDS as john AND michael (impersonation), because I have this "/*" in my policy.

On the other hand, if I replace that by:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../john"
}

Michael won't be able to log in.

How to setup a policy per user?

Has anyone faced this scenario and found a solution for it?

Thanks,

Topics
Security, Identity, & ComplianceMigration & ModernizationAnalyticsDatabase
Tags
AWS Identity and Access ManagementAmazon Relational Database ServiceAWS IAM Identity CenterIAM Policies
Language
English
Emmanuel
asked 2 months ago304 views
1 Answer
1
Accepted Answer

It's possible to simplify the management of AWS RDS access while leveraging AWS Single Sign-On (SSO) using dynamic IAM policies. Here's a quick guide:

  1. Goal: Enable secure, user-specific access to AWS RDS databases, preventing impersonation.
  2. Strategy: Utilize AWS SSO with dynamic IAM policies, incorporating the ${aws:username} variable to align SSO usernames with database usernames.

Implementation:

  1. Activate AWS SSO ABAC: Allows for dynamic permissions based on user context.
  2. Configure a Dynamic IAM Policy: Insert ${aws:username} in the policy to ensure users can only access their database user.
{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../${aws:username}"
}

Note: Ensure Consistency between SSO usernames and RDS database usernames. This alignment is critical for the dynamic policy to function correctly.

Additionally, you have the option to conduct tests by utilizing the IAM Policy Simulator, which allows for the simulation of permissions and actions for each user within the group. For more detailed analysis, you can access the tool directly at https://policysim.aws.amazon.com/home/index.jsp.

Using the policy to validate users

Resources:

  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/attributesforaccesscontrol.html
profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 2 months ago
  • Emmanuel
    2 months ago

    Hi Osvaldo, obrigado!

    I have the SSO ABAC enabled now, but I haven't created any new attribute.

    I'm using the ${aws:username} variable in my PermissionSet's inline policy, but it's not working.

    Do you know if it's possible to use this variable in my permission set or should I create a customer managed policy - and move this policy block - in my Dev account?

  • Emmanuel
    2 months ago

    It worked by creating a custom attribute (Username) on ABAC panel, and using this in the policy: ${aws:PrincipalTag/Username}

    Thank you for helping!

  • Osvaldo Marte EXPERT
    2 months ago

    Your welcome!, glad to see it worked

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content