ACM.30 Permitting an IAM admin to run IAM-related batch jobs
This can be a continuation of my sequence on Automating Cybersecurity Metrics.
Initially we crated a batch administrator consumer who was allowed to imagine the roles to run our batch jobs. On this submit we wish to enable the IAM consumer we created earlier to imagine the batch job position that requires IAM permissions.
An AWS CLI profile with EC2 occasion metadata credentials
Earlier than we alter our batch job position template, let’s take a look at what occurs after we attempt to assume the batch job position utilizing the position assigned to an EC2 occasion.
Let’s say you wished to configure an AWS CLI profile to imagine the batch job position. Discover the ARN for the position we created for this batch job.
Navigate to IAM. Click on Roles. Seek for “Batch”:
Click on on the BatchRoleDeployBatchJobCredentials we created for this batch job we’re utilizing to deploy our batch job administrator credentials.
As proven in a previous submit, copy the ARN by clicking the copy icon.
Add the next to your ~/.aws/config file:
Save the file. Hit the escape [esc] key and kind:
:wq!
Within the above configuration we’re making a CLI profile named “batch” and we’re executing instructions with the desired position.
We want some credentials to imagine this position and we’re telling the CLI to make use of the credentials of the EC2 occasion on the second line the place the credential_source is the Ec2InstanceMetadata.
I defined what EC2 metadata and it’s relationship to permissions granted to your EC2 occasion in an earlier submit:
I presume you’re following my earlier directions to run the scripts on an AWS Occasion with an IAM position assigned to it.
Our batch job position has KMS permissions. Take a look at your CLI profile by operating the command to describe the KMS key we created in an earlier submit. We allowed this consumer to carry out that motion in our key coverage. We are able to discover the CLI documentation for that command:
We have to move in a key id:
You’ll find the important thing ID by navigating to KMS and on the lookout for your key ID there, or by wanting on the outputs of your CloudFormation template:
Word that I redacted my key id within the above screenshot however you will notice one within the Worth column. We’re going to make use of that id to run our CLI command. Change [keyid] along with your key id within the command beneath:
aws kms describe-key --key-id [your key id] --profile batch
What occurs subsequent? You’ll possible get an error if you happen to’ve adopted my directions precisely.
An error occurred (AccessDenied) when calling the AssumeRole operation: Consumer: arn:aws:sts::xxxxxxxxxx:assumed-role/xxxxxxx/i-xxxxxxxxx shouldn't be approved to carry out: sts:AssumeRole on useful resource: arn:aws:iam::xxxxxxxxxxxxx:position/BatchRoleDeployBatchJobCredentials
The rationale we’re getting this error is as a result of we haven’t allowed the consumer or position we’ve bought configured on our EC2 occasion permission to imagine the batch job position (BatchRoleDeployBatchjobCredentials).
Catch-22 for creating credentials with a task that requires MFA to imagine
Let’s revisit our belief coverage to see what we did. Navigate to the IAM dashboard within the AWS Console. Click on on Roles and the position we are attempting to imagine. Click on on the “Belief Relationships” tab.
Recall that we Are permitting our BatchJobAdmin to imagine our batch job roles however solely when MFA is current.
So perhaps we should always add our batch job credentials to the EC2 occasion so we will assume this position. However wait. The credentials for that consumer is what we are attempting to create.
The issue is that we will’t use batch job consumer to create our credentials as a result of that’s the consumer for whom we’re making an attempt to create credentials. Or in different phrases, permissions to deploy credentials can’ t depend upon the credentials we are attempting to deploy. Our catch 22.
Since I by no means wish to expose the batch job admin credentials to a human, I’m going to have to make use of a special set of credentials to create them. We’ll use the IAM consumer to carry out this IAM-related job, ultimately by way of a batch job however for now we wish to check that we will deploy the credentials.
Modifying our Function Template To Permit Completely different ARNs to Assume A Function
We have now a few selections to permit completely different identities to imagine our batch job roles:
- We might alter the batch job position template to move within the assume position principal when it’s deployed.
- We might create a brand new CloudFormation position template particularly for this job or the IAM directors.
I began out with possibility two as a result of I believed it would assist stop misconfigurations of batch jobs however reverted to possibility one to maintain issues less complicated. Nonetheless: we’re not performed with this template. It has some safety points I’ll repair within the subsequent submit.
Alter our present batch job position to make it extra versatile. Check out the batch_job_role.
Right here’s the place I have to assign a special ARN, apart from the batch job admin.
I’m going to exchange this with a parameter to move in an ARN and assign this ARN to the handed in parameter:
I’ll additionally have to edit the deploy.sh script within the batch_job_role folder to move in an argument that shall be used for the assume position parameter:
I’ll additionally have to move within the position to imagine from the deploy.sh script within the job folder:
Navigate to your batch job folder:
jobs/DeployBatchJobCredentials/
Re-deploy your batch job position and move within the ARN for the IAM consumer we created in an earlier submit:
deploy.sh [assume-role-arn-here]
When you get this error you want first delete the coverage stack as a result of it’s utilizing the credentials from the position stack. Then run deploy.sh once more.
When you’ve got points the place the output names are missing job names, be certain the script is accurately passing within the job title, not an empty string. When you’re simply utilizing my closing scripts from GitHub when they’re accessible you shouldn’t have that difficulty.
Return to the batch job position within the IAM console and confirm the coverage underneath the Belief Relationships tab has modified as anticipated.
At all times confirm your code labored. After I first examined this code, I bought no errors however after I checked the position belief coverage it was incorrect. I forgot one change and so the template by no means up to date the position although the template indicated a profitable deployment.
Give the IAM administrator permission to imagine the position
For the needs of this framework, I’m going to simulate an atmosphere the place the group that deploys software program shouldn’t be the identical group that deploys KMS keys. I’m already created a separate IAM administrator.
Re-deploy the batch job position and move within the IAM consumer ARN so it could possibly assume the position, with MFA.
Create a task profile for the IAM consumer that requires MFA
Observe the steps within the earlier weblog submit the place I defined the best way to arrange an IAM profile that requires MFA. Create an iam and an iamuser profile respective to the kms and kmsuser profiles within the submit beneath. Use the batch job position within the configuration as an alternative of the KMS Administrator position within the submit.
Take a look at the MFA Profile
Now run the KMS describe key command once more however embrace the brand new profile you’ve configured. Now it ought to work.
Now we should always have the ability to use our iam CLI Profile with the batch job position to create credentials for our batch job consumer.
Observe for updates.
Teri Radichel
When you appreciated this story please clap and comply with:
Medium: Teri Radichel or E-mail Checklist: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this sequence:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts