AWS_IAM_17
Ensure IAM Master and IAM Manager roles are in place for IAM administration and assignment of administrative permissions for other services to other roles. An IAM role is conceptually “a container of permissions resembling a user account which cannot be directly logged into, but which must instead be assumed from an existing user account which has appropriate permissions to do so”, in the manner of roles in Unix Role- Based Access Control (RBAC). In AWS, roles can also be assigned to EC2 instances and Lambda functions. Control over IAM, which is also defined and mediated by a number of fine-grained permissions, should be divided between a number of roles, such that no individual user in a production account has full control over IAM.
Using the Amazon unified CLI, from a user or role which has the iam:CreateRole,
iam:CreatePolicy and iam:PutRolePolicy permissions:
aws iam create-role –role-name <iam_manager_role_name>
aws iam create-role –role-name <iam_master_role_name>
aws iam put-role-policy –role-name <iam_manager_role_name> –policy-name
<iam_manager_permissions_policy> –policy-document file://IAM-Manager-policy.json
aws iam put-role-policy –role-name <iam_master_role_name> –policy-name
<iam_master_permissions_policy> –policy-document file://IAM-Master-policy.json
where IAM-Master-policy.json contains:
{
Version”: “2012-10-17”,
“Statement”: [{
“Action”: [
&ldquo
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.