-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
None
The root is being used while creating the AWS source with "RHEL Management Application" for cloud access. When adding the AWS account as an integration, we have two choices for the configuration mode:
Account authorization
Manual configuration
- https://console.redhat.com/settings/integrations
- Click on Cloud
- Click on Add integration
- Select AWS and give a name.
- select Manual configuration
While using the Manual configuration option, it will display the below content into the JSON text box which customer can use to create IAM policy:-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudigradePolicy", "Effect": "Allow", "Action": [ "sts:GetCallerIdentity" ], "Resource": "*" } ] }
After creating the policy using above, user creates the role and as a end result, below role is created in AWS :-
AWS account >> IAM >> Roles >> rolename >> Trust relationships
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::998366406740:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Customer's Security Operations team flagged this role in violation of internal polices/procedures and would like to know if there is an "External ID" that can be used with the AWS IAM Role setup option of "Require external ID (Best practice when a third party will assume this role)"They would like the role's "Trust Policy" to look something like the following, in order for it to be locked down more securely and be more inline with internal policies/procedures:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "998366406740" }, "Condition": { "StringEquals": { "sts:ExternalId": "<whateverExternalIDRedHatprovides>" } } } ] }
Implement External ID – best practices to use when third-party account
You can increase the security of your role by requiring an optional external identifier, which prevents "confused deputy" attacks. This is recommended if you do not own or have administrative access to the account that can assume this role. The external ID can include any characters that you choose. To assume this role, users must be in the trusted account and provide this exact external ID