IAM All Access Account - TannerWeinacker/Capstone GitHub Wiki
The problem
A problem that this capstone group has been facing is trying to set up user environments with proper permissions and roles that are not necessarily native to the AWS infrastructure. IAM All Access accounts are a potential way to solve some of our problems, more specifically the problem of admin/billing accounts.
IAM All Access account
IAM all access accounts use a trust relationship with an IAM role in another AWS account. This will allow a source account to access a set destination account.
What is a trust relationship
Using IAM roles, a trust relationship can be configured between a trusting account and other trusted accounts. The trusted account owns the resources to be accessed and the trusted account contains the users who need access to the resources.
Create an IAM role
Setting up the IAM Policy on the source account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
]
}
]
}
Setting up the IAM Role on the destination account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:user/SOURCE-USERNAME"
},
"Action": "sts:AssumeRole"
}
]
}
Switching Roles
Creating Roles
Cyber.AWS Usecase
Sources:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html