RDS IAM Auth + SSO Users

0

Hi all,

I have 2 accounts:

  • Mgmt (SSO enabled)
  • Development (RDS)

I have SSO configured with a group (team_leaders) and permission set (TeamLeaderAccess).

Are part of this group:

  • john
  • michael

I've configured a RDS DB (Postgre) with IAM Auth and created these users into the database.

Now I'm trying to configure the Permission Set with this policy:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../*"
}

In this case, John is able to get his SSO credentials and log-in into RDS as john AND michael (impersonation), because I have this "/*" in my policy.

On the other hand, if I replace that by:

{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../john"
}

Michael won't be able to log in.

How to setup a policy per user?

Has anyone faced this scenario and found a solution for it?

Thanks,

1 回答
1
已接受的回答

It's possible to simplify the management of AWS RDS access while leveraging AWS Single Sign-On (SSO) using dynamic IAM policies. Here's a quick guide:

  1. Goal: Enable secure, user-specific access to AWS RDS databases, preventing impersonation.
  2. Strategy: Utilize AWS SSO with dynamic IAM policies, incorporating the ${aws:username} variable to align SSO usernames with database usernames.

Implementation:

  1. Activate AWS SSO ABAC: Allows for dynamic permissions based on user context.
  2. Configure a Dynamic IAM Policy: Insert ${aws:username} in the policy to ensure users can only access their database user.
{
    "Action": "rds-db:connect",
    "Effect": "Allow",
    "Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../${aws:username}"
}

Note: Ensure Consistency between SSO usernames and RDS database usernames. This alignment is critical for the dynamic policy to function correctly.

Additionally, you have the option to conduct tests by utilizing the IAM Policy Simulator, which allows for the simulation of permissions and actions for each user within the group. For more detailed analysis, you can access the tool directly at https://policysim.aws.amazon.com/home/index.jsp.

Using the policy to validate users

Resources:

  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/attributesforaccesscontrol.html
profile picture
专家
已回答 3 个月前
profile pictureAWS
专家
已审核 3 个月前
  • Hi Osvaldo, obrigado!

    I have the SSO ABAC enabled now, but I haven't created any new attribute.

    I'm using the ${aws:username} variable in my PermissionSet's inline policy, but it's not working.

    Do you know if it's possible to use this variable in my permission set or should I create a customer managed policy - and move this policy block - in my Dev account?

  • It worked by creating a custom attribute (Username) on ABAC panel, and using this in the policy: ${aws:PrincipalTag/Username}

    Thank you for helping!

  • Your welcome!, glad to see it worked

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则