Indirect permissions with service-linked roles

0

Hello, I am creating the assumed roles for the **users **of my organization. I am attaching an **AWS managed **policy such as arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess. I have seen that this policy has the following statement:

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com",
                        "kinesisreplication.dynamodb.amazonaws.com".
                    ]
                }
            }
        }

So is supposed to "Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf." If I wanted to create a custom policy for a user role, and include a statement as the example.

        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole".
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        **"s3.amazonaws.com",**
                        **"lambda.amazonaws.com",**
                        "dynamodb.application-autoscaling.amazonaws.com",
                    ]
                }
            }
        }
  1. What impact would these service-linked roles have for the user who assumes this role with this attached policy? Would the user have indirect permissions for lambda or S3?

  2. Would it be good practice to use service-linked roles? Or should it be used only for service roles?

ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

질문됨 일 년 전744회 조회
1개 답변
1
수락된 답변

Service linked roles (SLR) can be assumed only by AWS services to call other AWS services on your behalf. The permissions in the second policy allow an IAM principal to create the SLR for the specific services. Once that the SLR are created, the respective AWS services can operate in the account. Without the required SLRs, the respective services will not work.

Service Linked Roles and Service Roles are very different: you control Service Roles and their policies, while Service Linked Roles are managed by AWS - you can only allow the creation of the SLR, but you can't control their policies. For example, AWS Lambda can use service roles for allowing a function to access AWS services: you will define what permissions are required by your application. On the other hand, to create an Amazon EKS cluster you must have an SLR that allows EKS to create the required resources. If the SLR required by EKS does not exist in the account already, and the principal trying to create the EKS cluster does not have the permissions to create the SLR, then the creation of the cluster will fail.

AWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠