This article is an overview of IAM implementations, focused on multi-tenancy deployments.
- IAM User - IAM access account.
- IAM Group - A grouping of IAM Users.
- IAM Role - temporary IAM access account; cannot be added to an IAM Group.
- IAM Instance Profile - IAM access account, linked to an EC2 instance, using an IAM Role.
- IAM AWS Managed Policy - shared access policy managed by AWS, course grained.
- IAM Customer Managed Policy - shared access policy managed by the AWS account owner.
- IAM Inline Policy - unique access policy linked to a single IAM User, or IAM Group, or IAM Role.
Overview of Access Management: Permissions and Policies
IAM Best Practices
IAM Policy Elements: Variables and Tags
Variables in AWS Access Control Policies
IAM Managed Policies, and Inline Policies
- AWS Accounts are not designed for multi-tenancy
- IAM Inline Policies are very difficult to manage
- 1500 IAM Customer Managed Policies, per account
- 5000 IAM Users, per account
- 300 IAM Groups, per account
- 10 IAM Groups, per IAM User
- 1000 IAM Roles, per account
- 1000 IAM Instance Profiles, per account
- 1 IAM Role, per IAM Instance Profile
- 10 Managed Policies, per IAM Role
- 10 Managed Policies, per IAM User
- 10 Managed Policies, per IAM Group
- S3 bucket names must be DNS compatible, not using (: @ ,)
- S3 bucket policy conditionals cannot reference ResourceTag
S3 Bucket Restrictions and Limitations
Pros:
- Easy to implement.
- Does not embed IAM User Access Key + Secret Key on EC2 instance.
- IAM Policy var ${aws:username} is not available
- IAM Policy var ${aws:userid} is set to "role-id:ec2-instance-id"
- Any policy using ${aws:userid} are linked to individual EC2 instances.
- Requires redundant IAM Inline Policies, per tenant / customer.
- Need to link IAM Inline Policies to multiple IAM Roles.
Pros:
- Easy to implement.
Cons:
- Embeds IAM User Access Key + Secret Key on EC2 instance.
- IAM Policy var ${aws:username} is not available.
- IAM Policy var ${aws:userid} is set to "role-id:role-name"
- The format "role-id:role-name", cannot be used for dedicated tenant / customer S3 bucket names.
- Requires redundant IAM Inline Policies, per tenant / customer.
- Need to link IAM Inline Policies to multiple IAM Roles.
Pros:
- Easy to implement.
- IAM Policy var ${aws:username} is available.
- IAM Policy var ${aws:userid} is available.
- Can use IAM Customer Managed Policy, with dynamic variables.
- No need to create multiple tenant / customer redundant IAM Inline Policies.
Cons:
- Embeds IAM User Access Key + Secret Key on EC2 instance.
- Need to match IAM User Name, to either Resource Tag or Resource Name.
- Need to link IAM Customer Shared Policies to multiple IAM Users.
Pros:
- IAM Policy var ${aws:username} is available.
- IAM Policy var ${aws:userid} is available.
- Can use IAM Customer Managed Policy, with dynamic variables.
- No need to create multiple tenant / customer redundant IAM Inline Policies.
- Only need a limited number of account shared IAM Groups.
- Only need to link IAM Policies to limited number of IAM Groups.
Cons:
- Embeds IAM User Access Key + Secret Key on EC2 instance.
- Need to match IAM User Name, to either Resource Tag or Resource Name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::${aws:username}"
]
}
]
}
https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_examples_rds_tag-owner.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {"rds:db-tag/IAMUserName": "${aws:username}"}
}
}
]
}
- duosecurity / CloudTracker - helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
- Netflix / policyuniverse - provides classes to parse AWS IAM and Resource Policies.
- Netflix / repokid - uses Access Advisor to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
- https://aws.amazon.com/blogs/aws/variables-in-aws-access-control-policies/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_federated-home-directory-console.html
- https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html#context_keys_table
- https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html#amazons3-policy-keys
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys