- Newest
- Most votes
- Most comments
Hi,
You can assign tag to your service and then restrict your role policy with a condition on this tag like done on this page (although for a different purpose): https://docs.aws.amazon.com/AmazonECS/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-view-cluster-tags
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeServices",
"Effect": "Allow",
"Action": "ecs:DescribeServices",
"Resource": "*"
},
{
"Sid": "ViewServiceIfOwner",
"Effect": "Allow",
"Action": "ecs:DescribeServices",
"Resource": "arn:aws:ecs:*:*:service/*",
"Condition": {
"StringEquals": {"ecs:ResourceTag/Owner": "${aws:username}"}
}
}
]
}
You also have a more sophisticated example, still using tags, in this blog post: https://aws.amazon.com/blogs/security/control-access-to-amazon-elastic-container-service-resources-by-using-abac-policies/
Best.
Didier
Hi,
That's a good idea to restrict IAM role to only 1 ECS service. But given that you've an issue in setting up the trust relationships.
Why don't you try restricting the IAM permissions at the resource level(ECS service here) while creating IAM policy which is attached to the role. Ex: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-summary-examples.html#example6
After selecting the required actions, enter the resource arn(ECS service ARN here), such that the above actions/permissions will only be applied to that resource.
Let me know if you have any questions.!
Thanks both for coming back to me I did consider using tags however the problem with that is that if anyone added the same tag to another area they would also be able to assume the role so isn't secure enough to meet the requirements I've been given.
For setting the permissions at the resource level unfortunately the resource is a key in KMS which only allows you to use roles and users to restrict access from what I have been able to see which is why my thought was to restrict which specific ECS service\task can assume a role that has access.
Relevant content
- Accepted Answerasked 4 months ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 7 days ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago