- Newest
- Most votes
- Most comments
Here may be one possible solutions that may work. Granting a user permissions to pass a role to an AWS service in the AWS IAM Documentation.
This grants Users permissions to create service roles in order to launch as EC2 instance. I am curious if it will be effected differently for services launched through the Launch Wizard. Please reply and follow up if you continue to have issues. I'm certain there is more than one way to accomplish this task, using a combination of permission boundaries, SCP's, or Control Tower Guardrails. This was the first solution that came to mind.
Granting a user permissions to pass a role to an AWS service
Example 1
Suppose you want to grant a user the ability to pass any of an approved set of roles to the Amazon EC2 service upon launching an instance. You need three elements:
- An IAM permissions policy attached to the role that determines what the role can do. Scope permissions to only the actions that the role must perform, and to only the resources that the role needs for those actions. You can use an AWS managed or customer-created IAM permissions policy.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [ "A list of the permissions the role is allowed to use" ],
"Resource": [ "A list of the resources the role is allowed to access" ]
}
}
- A trust policy for the role that allows the service to assume the role. For example, you could attach the following trust policy to the role with the UpdateAssumeRolePolicy action. This trust policy allows Amazon EC2 to use the role and the permissions attached to the role.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole",
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
}
- An IAM permissions policy attached to the IAM user that allows the user to pass only those approved roles. You usually add iam:GetRole to iam:PassRole so the user can get the details of the role to be passed. In this example, the user can pass only roles that exist in the specified account with names beginning with EC2-roles-for-XYZ-:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
}]
}
Now the user can start an Amazon EC2 instance with an assigned role. Applications running on the instance can access temporary credentials for the role through the instance profile metadata. The permissions policies attached to the role determine what the instance can do.
Service Control Policies cannot be used to control the contents of trust policy documents or any other kind of resource-based policy. At this time there is no AWS-native method for preventing a user from creating a trust policy based on its content. See the link below to learn more about the difference between identity-based and resource-based policies.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html
Customers who want to perform custom safety checks on policies often use a deployment pipeline that tests the policy with IAM Access Analyzer Policy Validator in addition to their custom safety checks instead of allowing users to make policy changes directly.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html
Relevant content
- asked 2 months ago
- asked 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago