Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Restrict "iam:CreateRole" and "iam:CreatePolicy" to work for kinesis data stream creation only

0

Hello

I am trying to create a kinesis data stream with the management console and an account that is restricted to using several services including Kinesis Data Firehose.

I found that to complete the operation I need additional permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": ["arn:aws:logs:ap-southeast-2:548097210593:log-group:"] }, { "Effect": "Allow",
"Action": [ "iam:CreateRole" ], "Resource": ["arn:aws:iam::548097210593:role/service-role/"] },
{ "Effect": "Allow", "Action": [ "iam:CreatePolicy" ], "Resource": ["arn:aws:iam::548097210593:policy/service-role/"] }, { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:PassRole" ], "Resource": ["arn:aws:iam::548097210593:role/service-role/KinesisFirehoseServiceRole-"] } ] }

Is there a way to make "iam:CreateRole" and "iam:CreatePolicy" to be more selective and allow only during the creation of a kinesis data stream?

Note that I make it more specific about the resources for "iam:AttachRolePolicy" and "iam:PassRole" But the same does not work for "iam:CreateRole" and "iam:CreatePolicy". The Role and Policy do not exist at the moment the actions is performed so

  • Didier_Durand EXPERTE
    vor einem Jahr

    Hi, side note: you should obfuscate your account number in the quote above.

Themen
Sicherheit, Identität & Konformität
Tags
IAM-Richtlinien
Sprache
English
Harut
gefragt vor einem Jahr326 Aufrufe
1 Antwort
0

Instead of granting these powerful IAM permissions why don't you manually create the IAM Role that will be used by the Firehose and then select that role in the AWS Console during creation. https://docs.aws.amazon.com/ses/latest/dg/event-publishing-kinesis-analytics-firehose-stream.html

You can refer to this page in in the documentation when determining which permissions should be included in your IAM Role. https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html

I hope this helps you!

EXPERTE
Justin Wheeler
beantwortet vor einem Jahr
  • Harut
    vor einem Jahr

    That implies that the user has permission to create any kind of IAM roles/policies. The point here is that he should be restricted to doing only what is absolutely necessary

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt