fbpx

Use tags to control and secure usage of additional forms of IAM resources

AWS Identity and Access Management (IAM) now enables Amazon Web Providers (AWS) administrators to utilize tags to control and secure usage of more forms of IAM assets, such as for example customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and virtual multi-factor authentication (MFA) devices. A tag can be an attribute that includes a crucial and an optional worth that you can put on an AWS source. With this particular launch, administrators can connect tags to extra IAM resources to recognize resource proprietors and grant fine-grained usage of these resources at level using attribute-based access control. For instance, a security administrator within an AWS organization is now able to attach tags to all or any customer managed policies and create a individual policy for nearby administrators within the associate accounts, which grants them permissions to control only those consumer managed policies which have a matching tag.

In this post, I discuss the excess IAM resources that at this point support tags first. Then I stroll you through two make use of cases that demonstrate ways to use tags to recognize an IAM resource proprietor, and ways to further restrict usage of AWS resources predicated on tag and prefixes ideals.

Which IAM sources now assistance tags?

Along with IAM roles and IAM users that already support tags, it is possible to tag more forms of IAM resources now. The next table shows other IAM resources that assistance tags now. The table furthermore highlights which of the IAM assets assistance tags on the IAM gaming console degree and at the API/CLI level.

IAM resources Assistance tagging at IAM console Assistance tagging at API and CLI degree
Customer managed IAM policies Yes Yes
Instance profiles No Yes
OpenID Connect Service provider Yes Yes
SAML suppliers Yes Yes
Server certificates No Yes
Virtual MFAs No Yes

Fine-grained resource ownership and access using tags

Within the next sections, I’ll walk through two types of how exactly to use tagging to classify your IAM sources and define least-privileged access for the developers. In the initial instance, I explain how exactly to use tags to permit your designers to declare possession of a person managed plan they create. In the next illustration, I explain how exactly to make use of tags to enforce minimum privilege allowing programmers to only complete IAM roles with Amazon Elastic Compute Cloud (Amazon EC2) instance profiles they create.

Example 1: Make use of tags to recognize the proprietor of a person managed policy

Being an AWS administrator, it is possible to require your designers to tag the client managed guidelines they create always. You can then utilize the tag to recognize which of one’s developers owns the client managed policies.

For example, being an AWS administrator it is possible to require your developers in your company to tag any client managed policy they create. To do this, it is possible to require the plan creator to get into their username because the value for the main element titled Owner on resource tag development. By enforcing tagging on consumer managed policies, administrators can simply identify who owns these IAM policy varieties now.

To enforce client managed plan tagging, you very first grant your programmer the opportunity to create IAM consumer managed policies, you need to include a conditional declaration within the IAM plan that will require your developer to use their AWS user title in the tag worth field titled Owner if they create the policy.

Stage 1: Create a good IAM plan and attach it to your programmer role

Following is really a sample IAM plan (TagCustomerManagedPolicies.json) that you could assign to your programmer. This policy may be used by one to follow additionally example is likely to AWS account. For your own instructions and policies, replace the cases of in this instance with your personal AWS account ID.


    "Edition": "2012-10-17",
    "Statement": [
        
            "Sid": "TagCustomerManagedPolicies",
            "Impact": "Allow",
            "Action": [
                "iam:CreatePolicy",
                "iam:TagPolicy"
            ],
            "Useful resource": "arn:aws:iam::: :policy/Developer-*",
            "Condition": 
                "StringEquals": 
                    "aws:RequestTag/Proprietor": "$aws:username"
                
            
        
    ]
 

This policy requires the programmer to enter their AWS user name because the tag value to declare AWS resource ownership during customer managed policy creation. The TagCustomerManagedPolicies.json also requires the programmer to mention any customer managed plan they create with the Developer- prefix.

Create the TagCustomerManagedPolicies.json file, then develop a managed policy utilizing the the next CLI command:

$aws iam create-plan --policy-name TagCustomerManagedPolicies --policy-document document://TagCustomerManagedPolicies.json

Once you create the TagCustomerManagedPolicies.json policy, attach the policy to your programmer with the next command. Assume your programmer has an IAM account and their AWS consumer name is JohnA.

$aws iam attach-user-plan --policy-arn arn:aws:iam:::policy/TagCustomerManagedPolicies --user-name JohnA

Action 2: Ensure the programmer utilizes appropriate tags when making IAM policies

If your developer attempts to produce a customer managed policy without applying their AWS user name because the value for the Owner tag and does not name the client managed policy with the mandatory prefix Developer-, this IAM policy shall not permit the developer to generate this AWS resource. The mistake received by the programmer is demonstrated in the next example.

$ aws iam create-plan --policy-name TestPolicy --policy-document document://Developer-TestPolicy.json 

One occurred (AccessDenied) when phoning the CreatePolicy procedure: User: arn:aws:iam:::user/JohnA isn't authorized to execute: iam:CreatePolicy on reference: policy TestPolicy

However, if your programmer applies their AWS consumer name as the worth for the Owner tag and names the plan with the Programmer- prefix, the IAM plan will enable your programmer to create the client managed policy successfully, as shown within the following example.

$aws iam create-plan --policy-name Developer-TestPolicy --policy-document document://Developer-TestPolicy.json --tags '"Key": "Owner", "Value": "JohnA"'


  "Policy": 
    "PolicyName": "Developer-Test_policy",
    "PolicyId": "",
    "Arn": "arn:aws:iam:::policy/Developer-Test_plan",
    "Route": "/",
    "DefaultVersionId": "v1",
    "Tags": [
      
        "Crucial": "Proprietor",
        "Worth": "JohnA"
      
    ],
    "AttachmentCount": 0,
    "PermissionsBoundaryUsageCount": 0,
    "IsAttachable": real,
    "CreateDate": "2020-07-27T21:18:10Z",
    "UpdateDate": "2020-07-27T21:18:10Z"
  

Instance 2: Use tags to regulate which IAM functions your developers put on an instance user profile

Amazon EC2 enables customers to perform compute resources within the cloud. AWS programmers use IAM example profiles to associate IAM functions to EC2 situations hosting their apps. This instance profile can be used to move an IAM part to an EC2 example to grant it privileges to invoke activities on behalf of a credit card applicatoin hosted within it.

In this illustration, I show ways to use tags to regulate which IAM functions your developers can truly add to instance profiles. You may use this as a starting place on your own workloads, or follow additionally instance as a learning physical exercise. On your own plans and instructions, replace the cases of in this illustration with your personal AWS account ID.

Let’s assume your programmer is running a credit card applicatoin on the EC2 instance that requires study and write permissions to items within various programmer owned Amazon Simple Storage Service (S3) buckets. To permit your application to execute these actions, you should associate an IAM function with the mandatory S3 permissions to an example profile of one’s EC2 instance that’s hosting your application.

To achieve this, you’ll do the next:

  1. Create a permissions boundary policy and require your developer to add the permissions boundary policy to any IAM role they create. The permissions boundary policy defines the utmost permissions your developer can assign to any IAM role they create. For types of how exactly to use permissions boundary policies, see Add Tags to control Your AWS IAM Users and Roles.
  2. Grant your developer permissions to generate and tag IAM instance and roles profiles. Your developer use the instance profile to pass the IAM role with their EC2 instance hosting their application.
  3. Grant your developer permissions to generate and apply IAM permissions to the IAM role they create.
  4. Grant your developer permissions to assign IAM roles to instance profiles of these EC2 instances in line with the Owner tag they put on the IAM role and instance profile they created.

Step 1: Develop a permissions boundary policy

First, create the permissions boundary policy (S3ActionBoundary.json) that defines the utmost S3 permissions for the IAM role your developer creates. Following can be an exemplory case of a permissions boundary policy.


    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "S3ActionBoundary",
            "Effect": "Allow",
            "Action": [
                "S3:CreateBucket",
                "S3:ListAllMyBuckets",
                "S3:GetBucketLocation",
                "S3:PutObject",
                "S3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::Developer-*",
            "Condition": 
                "StringEquals": 
                    "aws:RequestedRegion": "us-east-1"
                
            
        
    ]

When used as a permissions boundary, this policy enables your developers to grant permissions for some S3 actions, so long as two requirements are met. First, the S3 bucket must start out with the Developer prefix. Second, the spot used to help make the request should be US East (N. Virginia).

Like the previous example, it is possible to create the S3ActionBoundary.json, then develop a managed IAM policy utilizing the following CLI command:

$aws iam create-policy --policy-name S3ActionBoundary --policy-document file://S3ActionBoundary.json

Step 2: Grant your developer permissions to generate and tag IAM roles and instance profiles

Next, create the IAM permission (DeveloperCreateActions.json) which allows your developer to generate IAM roles and instance profiles. Any roles they create will never be permitted to exceed the permissions of the boundary policy we created in step one 1, and any resources they create should be tagged based on the guideline we established earlier. Following can be an example DeveloperCreateActions.json policy.


    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "CreateRole",
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam:::role/Developer-*",
            "Condition": 
                "StringEquals": 
                    "aws:RequestTag/Owner": "$aws:username",
                    "iam:PermissionsBoundary": "arn:aws:iam:::policy/S3ActionBoundary"
                
            
        ,
        
            "Sid": "CreatePolicyandInstanceProfile",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy"
            ],
            "Resource": [
                "arn:aws:iam:::instance-profile/Developer-*",
                "arn:aws:iam:::policy/Developer-*"
            ],
            "Condition": 
                "StringEquals": 
                    "aws:RequestTag/Owner": "$aws:username"
                
            
        ,
        
            "Sid": "TagActionsAndAttachActions",
            "Effect": "Allow",
            "Action": [
                "iam:TagInstanceProfile",
                "iam:TagPolicy",
                "iam:AttachRolePolicy",
                "iam:TagRole"
            ],
            "Resource": [
                "arn:aws:iam:::instance-profile/Developer-*",
                "arn:aws:iam:::policy/Developer-*",
                "arn:aws:iam:::role/Developer-*"
            ],
            "Condition": 
                "StringEquals": 
                    "aws:ResourceTag/Owner": "$aws:username"
                
            
        
    ]

I will walk through each statement in the policy to describe its function.

The initial statement CreateRole allows creating IAM roles. The Condition component of the policy requires your developer to use their AWS user name because the Owner tag to any IAM role or instance profile they create. In addition, it requires your developer to add the S3ActionBoundary as a permissions boundary policy to any IAM role they create.

Another statement CreatePolicyAndInstanceProfile allows creating IAM policies and instance profiles. The Condition element requires your developer to mention any IAM role or instance profile they create with the Developer- prefix, also to attach the Owner tag to the resources they create.

The final statement TagActionsAndAttachActions allows tagging managed policies, instance profiles and roles with the Owner tag. It allows attaching role policies also, to allow them to configure the permissions for the roles they create. The Resource and Condition components of the policy require the developer to utilize the Developer- prefix and their AWS user name because the Owner tag, respectively.

As soon as you create the DeveloperCreateActions.json file locally, it is possible to create it being an IAM policy and attach it to your developer role utilizing the following CLI commands:

$aws iam create-policy --policy-name DeveloperCreateActions --policy-document file://DeveloperCreateActions.json 

$aws iam attach-user-policy --policy-arn arn:aws:iam:::policy/DeveloperCreateActions --user-name JohnA

With the preceding policy, your developer can make an instance profile, an IAM role, and the permissions they shall put on the IAM role. For instance, if your developer creates an example profile and doesn’t apply their AWS user name because the Owner tag, the IAM Policy will avoid the resource creation process from occurring render one as shown in the next example.

$aws iam create-instance-profile --instance-profile-name Developer-EC2-InstanceProfile

One occurred (AccessDenied) when calling the CreateInstanceProfile operation: User: arn:aws:iam:::user/JohnA isn't authorized to execute: iam:CreateInstanceProfile on resource: arn:aws:iam:::instance-profile/Developer-EC2

Whenever your developer names the instance profile with the prefix Developer- and includes their AWS user name as value for the Owner tag in the create request, the IAM policy allows the create action that occurs as shown in the next example.

$aws iam create-instance-profile --instance-profile-name Developer-EC2-InstanceProfile --tags '"Key": "Owner", "Value": "JohnA"'


    "InstanceProfile": 
        "Path": "/",
        "InstanceProfileName":"Developer-EC2-InstanceProfile",
        "InstanceProfileId":" AIPAR3HKUNWB24NBA3HRC",
        "Arn": "arn:aws:iam:::instance-profile/Developer-EC2-InstanceProfile",
        "CreateDate": "2020-07-30T21:24:30Z",
        "Roles": [],
        "Tags": [
            
                "Key": "Owner",
                "Value": "JohnA"
            
        ]

    

Let’s assume your developer creates an IAM role called Developer-EC2. The Developer-EC2 role has your developer’s AWS user name (JohnA) because the Owner tag. The developer gets the S3ActionBoundaryPolicy.json as their permissions boundary policy and the Developer-ApplicationS3Access.json policy because the permissions policy your developer will pass with their EC2 instance to permit it to call S3 with respect to their application. That is shown in the next example.



    "Version": "2012-10-17",
    "Statement": [
        
            "Effect": "Allow",
            "Principal": 
                "Service": "ec2.amazonaws.com"
            ,
            "Action": "sts:AssumeRole"
        
    ]




    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "S3Access",
            "Effect": "Allow",
            "Action": [
                "S3:GetBucketLocation",
                "S3:PutObject",
                "S3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::Developer-*"
        
    ]




$aws iam create-role --role-name Developer-EC2
--assume-role-policy-document file://RoleTrustPolicy.json
--permissions-boundary arn:aws:iam:::policy/S3ActionBoundary --tags '"Key": "Owner", "Value": "JohnA"'



$aws iam create-policy --policy-name Developer-ApplicationS3Access --policy-document file://Developer-ApplicationS3Access.json --tags '"Key": "Owner", "Value": "JohnA"'


$aws iam attach-role-policy --policy-arn arn:aws:iam:::policy/Developer-ApplicationS3Access --role-name Developer-EC2

Step 3: Grant your developer permissions to generate and apply IAM permissions to the IAM role they create

Utilizing the AddRoleAssociateInstanceProfile.json IAM Policy below provided, you’re allowing your developers the permissions to pass their new IAM role to an example profile they create. They have to follow these requirements as the DeveloperCreateActions.json permission, that you assigned to your developer within an earlier step already, allows your developer to only administer resources which are properly prefixed with Developer- and also have their user name assigned to the resource tag. The next example shows information on the AddRoleAssociateInstanceProfile.json policy.

< AddRoleAssociateInstanceProfile.json>

    "Edition": "2012-10-17",
    "Statement": [
        
            "Sid": "AddRoleToInstanceProfile",
            "Impact": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam:::instance-profile/Developer-*",
                "arn:aws:iam:::role/Developer-*"
            ],
            "Condition": 
                "StringEquals": 
                    "aws:ResourceTag/Proprietor": "$aws:username"
                
            
        ,
        
            "Sid": "AssociateInstanceProfile",
            "Impact": "Allow",
            "Activity": "ec2:AssociateIamInstanceProfile",
            "Source": "arn:aws:ec2:us-east-1::instance/Programmer-*"
        
    ]

As soon as you create the DeveloperCreateActions.json file locally, it is possible to create it being an IAM plan and attach it to your programmer role utilizing the following CLI commands:

$aws iam create-plan --policy-name AddRoleAssociateInstanceProfile --policy-document document://AddRoleAssociateInstanceProfile.json

$aws iam attach-user-plan --policy-arn arn:aws:iam:::policy/ AddRoleAssociateInstanceProfile --user-name Developer

If your developer’s AWS user name may be the Owner tag for the Developer-EC2-InstanceProfile instance user profile and the Developer-EC2 IAM part, then AWS allows your developer to include the Developer-EC2 function to the Developer-EC2-InstanceProfile instance profile. Nevertheless, if your developer tries to include the Developer-EC2 role to an example profile they don’t very own, AWS won’t permit the activity, as proven in the next example.

aws iam add-role-to-instance-profile --instance-profile-name EC2-access-User profile --role-name Developer-EC2

One occurred (AccessDenied) when contacting the AddRoleToInstanceProfile procedure: User: arn:aws:iam:::user/Developer isn't authorized to execute: iam:AddRoleToInstanceProfile on useful resource: instance profile EC2-access-profile

When your programmer adds the IAM part to the instance profile they own, the IAM plan allows the action, since shown in the next example.

aws iam add-role-to-instance-profile --instance-profile-name Developer-EC2-InstanceProfile --role-name Developer-EC2

It is possible to verify this by checking which instance profiles support the Developer-EC2 role, the following.

$aws iam list-instance-profiles-for-function --role-name Developer-EC2




    "InstanceProfiles": [
        
            "InstanceProfileId": "AIDGPMS9RO4H3FEXAMPLE",
            "Roles": [
                
                    "AssumeRolePolicyDocument": "",
                    "RoleId": "AIDACKCEVSQ6C2Illustration",
                    "CreateDate": "2020-06-07T20: 42: 15Z",
                    "RoleName": "Developer-EC2",
                    "Route": "/",
                    "Arn":"arn:aws:iam:::role/Developer-EC2"
                
            ],
            "CreateDate":"2020-06-07T21:05:24Z",
            "InstanceProfileName":"Developer-EC2-InstanceProfile",
            "Route": "/",
            "Arn":"arn:aws:iam:::instance-profile/Developer-EC2-InstanceProfile"
        
    ]

Phase 4: Grant your programmer permissions to include IAM roles to example profiles in line with the Owner tag

Your developer may then associate the example profile (Developer-EC2-InstanceProfile) with their EC2 instance working their application, utilizing the following command.

aws ec2 associate-iam-instance-user profile --instance-id i-1234567890EXAMPLE --iam-instance-user profile Name="Developer-EC2-InstanceProfile"


    "IamInstanceProfileAssociation": 
        "InstanceId": "we-1234567890EXAMPLE",
        "Condition": "associating",
        "AssociationId": "iip-assoc-0dbd8529a48294120",
        "IamInstanceProfile": 
            "Id": "AIDGPMS9RO4H3FEXAMPLE",
            "Arn": "arn:aws:iam:::instance-profile/Developer-EC2-InstanceProfile"
        
    

Summary

You may use tags to control and secure usage of IAM assets such as for example IAM roles, IAM users, SAML providers, server certificates, and virtual MFAs. In this article, I highlighted two types of how AWS administrators may use tags to grant accessibility at level to IAM sources such as for example customer managed guidelines and instance profiles. To learn more about the IAM assets that support tagging, start to see the AWS Identity and Access Management (IAM) User Guide.

When you have feedback concerning this post, submit remarks in the Comments section below. Should you have questions concerning this post, start a brand new thread on the AWS IAM forum or contact AWS Support.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.

Writer

Michael Switzer

Mike may be the product supervisor for the Entry and Identity Management services at AWS. He enjoys dealing with customers to identify answers to their challenges directly, and using data-driven choice making to operate a vehicle his work. Beyond work, Mike can be an avid outdoorsperson and cyclist. A learn’s is held by him diploma in computational mathematics from the University of Washington.

Contributor

Special because of Derrick Oigiagbe who produced significant contributions to the post.

%d bloggers like this: