0

I have a IAM role dedicated for EC2, but I would like to restrict use of this role to only certain services eg. Service Catalog. I can't do it on autoscaling level - it uses service linked role which is impossible to edit. I believe that I can somehow block that access on trusted relationship policy level on the target role. I have tried many things but nothing works for me. I think the main problem is that this role is not directly used by autoscaling, but this is a process chain which starts from autoscaling and ends on ec2. Role is no strictly used by the service but is passed through instance profile.

Any suggestions how to approach this topic ?

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123344566:root"
        ],
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalArn": "????"
        }
      }
    }
  ]
}

BG Seba

Sebastian Zalewski
  • 89
  • 8
  • You are looking for Instance Profile. – Clément Duveau Feb 17 '21 at 14:15
  • Ok, my I didn't provide all informations. I want to have access to this role from different account and I want to assume it from ec2 from a different account, but I want to keep it unavailable to pass from autoscaling – Sebastian Zalewski Feb 17 '21 at 14:41
  • So you want to use an IAM role in another account as the role assigned to an EC2 instance profile or you want to assume a role in another account from an EC2 instance that has an instance profile associated with it? – Maurice Feb 17 '21 at 14:56
  • I want to assume role Y on account B from ec2 instance on account A with role X. In the same time I have autoscaling on account B where I want to block possibility to use/pass this role by ec2s provisioned by autoscaling. So I have to keep principal for ec2 – Sebastian Zalewski Feb 17 '21 at 15:09
  • How have you assigned users permission to call `iam:PassRole`? The problem possibly lies with the fact that you have granted users Admin permission, or at least PassRole. Rather than 'blocking' it, you should try to avoid granting those permissions in the first place. Can you tell us more about how they are currently granted PassRole permissions? – John Rotenstein Feb 17 '21 at 21:08
  • @JohnRotenstein no, I haven't. It's not about users permissions. It's about autoscaling permissions. I have a ec2 role with high privileges and I want to still use it but not by autoscaling. The problem is with service linked role for autoscaling. It has to have passRole in order to work, but you can't change the policy attached to this role nor change policy itself. [link] https://docs.aws.amazon.com/autoscaling/plans/userguide/aws-auto-scaling-service-linked-roles.html .It might sounds weird, but its all about preventing a privilege escalations - one of sec pen test finding. – Sebastian Zalewski Feb 17 '21 at 21:46
  • So users are not currently permitted to use the privileged IAM Role (eg to launch EC2 instances), but you are worried that they could bypass this restriction by launching an Auto Scaling group that specifies this role, and they could then login to the resultant EC2 instances and gain privileged access? I wonder if this can be handled via permissions around Launch Configs and Launch Templates? – John Rotenstein Feb 17 '21 at 21:49
  • @JohnRotenstein that's correct. I have tried this `"StringNotLike": { "aws:PrincipalArn": [ "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*", "arn:aws:ec2:*:*:launch-template/*", ]}` but I can still associate role to both. – Sebastian Zalewski Feb 17 '21 at 23:15

1 Answers1

1

It appears that your requirement is:

  • You have a privileged IAM Role (let's call it Admin Role)
  • You want to allow non-Admins to create Amazon EC2 Auto Scaling groups
  • You do not want them to be able to attach the Admin Role to the Auto Scaling group because they could login to the resulting instances and gain privileged access

I think that you will need to control the ability to create Launch Templates and Launch Configurations:

  • Creating a Launch Template requires the ec2:CreateLaunchTemplate permission
  • Creating a Launch Configuration requires the autoscaling:createLaunchConfiguration permission

If users are not allowed to create these templates, then they cannot select a role. They would need to use an existing template to launch the Auto Scaling group.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470