I'd like to create a user that is "effectively root" AWS wise (meaning too many service:* perms), but only allow this user to operate from servers with a specific role. The reason I don't want to give the servers the role themselves is I'd like to store the keys in a secure vault and then only run the commands inside of containers, so ideally compromising an unrelated container still wouldn't give someone the "effective root" access to AWS, as they still wouldn't have the credentials. What would I have to do to accomplish this?
Asked
Active
Viewed 23 times
0
-
You cannot. If you create a user with "root" privileges they can do anything they want including creating a new root user without any restrictions that you defined. – John Hanley Feb 07 '18 at 20:37
-
@JohnHanley well one thing I didn't give it * privs to was iam, but it has * privs on ec2, s3, route53, etc, 'cause it is for managing those resources. I kinda suspected you're right though, that there's no way to limit a set of creds to a server. – xenoterracide Feb 07 '18 at 21:04
-
Correct... instance roles have no impact on any static credentials also used on those instances. – Michael - sqlbot Feb 07 '18 at 22:07
-
You can limit credentials to a server by using IAM roles. The credentials are temporary and expire (I think after 60 minutes). – John Hanley Feb 07 '18 at 22:48