Indirect permissions with service-linked roles

0

Hello, I am creating the assumed roles for the **users **of my organization. I am attaching an **AWS managed **policy such as arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess. I have seen that this policy has the following statement:

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com",
                        "kinesisreplication.dynamodb.amazonaws.com".
                    ]
                }
            }
        }

So is supposed to "Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf." If I wanted to create a custom policy for a user role, and include a statement as the example.

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        **"s3.amazonaws.com",**
                        **"lambda.amazonaws.com",**
                        "dynamodb.application-autoscaling.amazonaws.com",
                    ]
                }
            }
        }
  1. What impact would these service-linked roles have for the user who assumes this role with this attached policy? Would the user have indirect permissions for lambda or S3?

  2. Would it be good practice to use service-linked roles? Or should it be used only for service roles?

ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

1回答
1
承認された回答

Service linked roles (SLR) can be assumed only by AWS services to call other AWS services on your behalf. The permissions in the second policy allow an IAM principal to create the SLR for the specific services. Once that the SLR are created, the respective AWS services can operate in the account. Without the required SLRs, the respective services will not work.

Service Linked Roles and Service Roles are very different: you control Service Roles and their policies, while Service Linked Roles are managed by AWS - you can only allow the creation of the SLR, but you can't control their policies. For example, AWS Lambda can use service roles for allowing a function to access AWS services: you will define what permissions are required by your application. On the other hand, to create an Amazon EKS cluster you must have an SLR that allows EKS to create the required resources. If the SLR required by EKS does not exist in the account already, and the principal trying to create the EKS cluster does not have the permissions to create the SLR, then the creation of the cluster will fail.

AWS
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ