Cross account role for multiple accounts

0

We have a BI product which we provisioned on EC2 instances. The only way we can connect to AWS data sources from this EC2 instances is by giving cross account role trust policy. Ec2 is sitting in one vpc and data sources in different vpc's. We have use case to connect to multiple accounts(vpc) data sources, in which case if ec2 role is compromised, it will be able to connect to all the data sources which has the trust. How do we add more access control layers to this?

  • Hello,

    What are the different data sources in other AWS accounts?

  • for eg. Redshift, Athena, RDS, Aurora flavors etc

1回答
1

You can consider many extra access control layers. But, as you know, each access control layer requires a corresponding trade-off (Human resources, extra system, management cost).

  • Fine-grained IAM Policy Conditions
    • Limit source IP, source VPC, source Account, or something else.
  • Strengthen security for Assume Role(Trusted Identity) Policy for IAM Role.
    • Limit source IP, source VPC, source Account, or something else.
  • Use application-level AWS STS Tokens instead of EC2 Instance Profile
    • With a solution for dynamic secret(short-live token) like HashiCorp Vault, you can use several small-scoped STS tokens. And just delete your EC2 Instance Profile.
  • Limit access to the EC2 instance with Security Groups and NACLs.
profile picture
エキスパート
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ