Cross account role for multiple accounts


We have a BI product which we provisioned on EC2 instances. The only way we can connect to AWS data sources from this EC2 instances is by giving cross account role trust policy. Ec2 is sitting in one vpc and data sources in different vpc's. We have use case to connect to multiple accounts(vpc) data sources, in which case if ec2 role is compromised, it will be able to connect to all the data sources which has the trust. How do we add more access control layers to this?

  • Hello,

    What are the different data sources in other AWS accounts?

  • for eg. Redshift, Athena, RDS, Aurora flavors etc

1 Answer

You can consider many extra access control layers. But, as you know, each access control layer requires a corresponding trade-off (Human resources, extra system, management cost).

  • Fine-grained IAM Policy Conditions
    • Limit source IP, source VPC, source Account, or something else.
  • Strengthen security for Assume Role(Trusted Identity) Policy for IAM Role.
    • Limit source IP, source VPC, source Account, or something else.
  • Use application-level AWS STS Tokens instead of EC2 Instance Profile
    • With a solution for dynamic secret(short-live token) like HashiCorp Vault, you can use several small-scoped STS tokens. And just delete your EC2 Instance Profile.
  • Limit access to the EC2 instance with Security Groups and NACLs.
profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions