Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-32014

Provide an external ID for AWS IAM Role to enable the cloud access for AWS while using Manual configuration

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Unset
    • No
    • Critical

      The root is being used while creating the AWS source with "RHEL Management Application" for cloud access. When adding the AWS account as an integration, we have two choices for the configuration mode:

      Account authorization
      Manual configuration

       

       

      While using the Manual configuration option, it will display the below content into the JSON text box which customer can use to create IAM policy:- 

       

      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CloudigradePolicy",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

      After creating the policy using above, user creates the role and as a end result, below role is created in AWS :-

      AWS account >> IAM >> Roles >> rolename >> Trust relationships

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::998366406740:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

      Customer's Security Operations team flagged this role in violation of internal polices/procedures and would like to know if there is an "External ID" that can be used with the AWS IAM Role setup option of "Require external ID (Best practice when a third party will assume this role)"They would like the role's "Trust Policy" to look something like the following, in order for it to be locked down more securely and be more inline with internal policies/procedures:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
                "AWS": "998366406740"
            },
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<whateverExternalIDRedHatprovides>"
                }
            }
        }
    ]
}

       

      Implement External ID –  best practices to use when third-party account
                         You can increase the security of your role by requiring an optional external identifier, which prevents "confused deputy" attacks. This is recommended if you do not own or have administrative access to the account that can assume this role. The external ID can include any characters that you choose. To assume this role, users must be in the trusted account and provide this exact external ID

      Ref Doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html?icmpid=docs_iam_console

       

       

            Unassigned Unassigned
            rhn-support-shivagup Shivam Gupta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: