stackoom
  简体   繁体   中英

Query regarding AWS IAM Service

 原文  2020-08-19 06:42:49       amazon-web-services/ amazon-iam

Question

Started recently understanding AWS IAM Roles, Groups, Roles and Permissions.

I understood that groups will be added with some Permissions and whoever the users got added into that group, will have an access to those specific AWS services provided in that group. Where as Role is used to provide an access from one Service to Other. (Say Lambda wants to have an access for CloudWatch).

My Query is : Suppose if Group (say 'dev') have added only 2 Permissions policy (say S3FullAccess, LambdaFullAccess) and Role created for Lambda Service (having Permission policy "cloudwatchFullAccess"), then does a user from 'dev' group can able to access 'cloudwatch' service?

EDIT: Another query : I didnt understood on How do we map Users/Groups to only specific Roles? orelse does Roles can be accessed by every user/group (assuming Permission policies already added in Groups of those services mentioned in the Roles)? Please clear me this too

1 answers

solution1
 1 ACCPTED  2020-08-19 06:47:44

The permissions from the role are only allowed by a principal (IAM user/IAM role/AWS Service) that has assumed the role. If your user had the permission to assume that IAM role and did it, then yes they would have those permissions.

However based on the policies they have they cannot assume the role, but Lambda (assuming it has a trust policy in place) can assume the IAM role in question.

This means that Lambda can perform any CloudWatch interactions, which would allow a user within the dev group to add code that interacts with CloudWatch within the Lambda function and then when triggering the Lambda function see the output of it.

They would not however be able to see the CloudWatch interface within the console, or directly interact with it on the AWS CLI.

To explain the difference between users, groups and role:

  • An IAM user is an entity with which you can interact directly through the console or CLI. It requires credentials to perform these interactions and gains its permissions from policies. It is generally advised not to use these for applications that reside in AWS.
  • An IAM group is an entity to group similar IAM users, providing them the same permissions. This allows a hierarchy to be easily maintained. No entity can become a group, it is an assignment to an IAM user.
  • An IAM role is similar to a user, in that it can interact with the console or CLI. However, to do this it must be assumed, which will provide the entity that assumed it with temporary credentials. An AWS service that assumes the role manages these temporary credentials for you.

For a user to assume the role, 2 things would need to be in place. The role would need to have a trust policy that enables the principal of the IAM user (or account) to assume that role. In addition the user would need to have permission to perform the sts:AssumeRole action on the IAM role resource.

More information about this can be found in the Granting a User Permissions to Switch Roles documentation.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS IAM Roles : How to identify specific permission for each AWS service AWS DotNet SDK Error: Unable to get IAM security credentials from EC2 Instance Metadata Service AWS IAM API Endpoints aws / terraform Iam - inline AWS IAM Comprehend Issue Difference between IAM role and IAM user in AWS AWS IAM role creation is failing MongoAtlas AWS IAM Role Authentication AWS: "Invalid identity pool configuration. Check assigned IAM roles for this pool." Error with AWS Lambda to query MYSQL db AWS IAM Role vs Group
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM