IAM All Access Account - TannerWeinacker/Capstone GitHub Wiki

The problem

A problem that this capstone group has been facing is trying to set up user environments with proper permissions and roles that are not necessarily native to the AWS infrastructure. IAM All Access accounts are a potential way to solve some of our problems, more specifically the problem of admin/billing accounts.

IAM All Access account

IAM all access accounts use a trust relationship with an IAM role in another AWS account. This will allow a source account to access a set destination account.

What is a trust relationship

Using IAM roles, a trust relationship can be configured between a trusting account and other trusted accounts. The trusted account owns the resources to be accessed and the trusted account contains the users who need access to the resources.

Create an IAM role

Setting up the IAM Policy on the source account

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
      ]
    }
  ]
}

Setting up the IAM Role on the destination account

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:user/SOURCE-USERNAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Switching Roles

Creating Roles

Cyber.AWS Usecase

Sources:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html