1 回答
- 最新
- 投票最多
- 评论最多
1
It's possible to simplify the management of AWS RDS access while leveraging AWS Single Sign-On (SSO) using dynamic IAM policies. Here's a quick guide:
- Goal: Enable secure, user-specific access to AWS RDS databases, preventing impersonation.
- Strategy: Utilize AWS SSO with dynamic IAM policies, incorporating the
${aws:username}variable to align SSO usernames with database usernames.
Implementation:
- Activate AWS SSO ABAC: Allows for dynamic permissions based on user context.
- Configure a Dynamic IAM Policy: Insert ${aws:username} in the policy to ensure users can only access their database user.
{
"Action": "rds-db:connect",
"Effect": "Allow",
"Resource": "arn:aws:rds-db:us-east-1:<account>:dbuser:db-KF.../${aws:username}"
}
Note: Ensure Consistency between SSO usernames and RDS database usernames. This alignment is critical for the dynamic policy to function correctly.
Additionally, you have the option to conduct tests by utilizing the IAM Policy Simulator, which allows for the simulation of permissions and actions for each user within the group. For more detailed analysis, you can access the tool directly at https://policysim.aws.amazon.com/home/index.jsp.
Resources:
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 3 年前
- AWS 官方已更新 1 年前
Hi Osvaldo, obrigado!
I have the SSO ABAC enabled now, but I haven't created any new attribute.
I'm using the ${aws:username} variable in my PermissionSet's inline policy, but it's not working.
Do you know if it's possible to use this variable in my permission set or should I create a customer managed policy - and move this policy block - in my Dev account?
It worked by creating a custom attribute (Username) on ABAC panel, and using this in the policy: ${aws:PrincipalTag/Username}
Thank you for helping!
Your welcome!, glad to see it worked