Can I restrict an SSH user from assuming the IAM role attached to an EC2 instance?

NitinGarg
May 15, 2023
264 views
1 vote
2 Answers

Context:

The EC2 instance IAM role privileges grant more permissions than desired to the users who SSH into the instance. Therefore, we want to restrict SSH user access so that it should not automatically assume the EC2 IAM role upon login to the server.

Issue:

Team A and Team B have access to only their respective set of AWS services while they try to access them via console or via external API calls through IAM credentials. Also, There is an EC2 instance with an IAM role which provides Get:* permissions to some AWS services because the application running on that server needs it to work properly. So when users from either team log in to this server for some application troubleshooting, they can easily fetch data from those AWS services by assuming the EC2 IAM role even though they are not supposed to access those details.

Expectation:

Users of either team should not be able to access AWS resources belonging to another team even after login to the EC2 instance. Is there a way to do that or is there any alternate way to design this security constraint?

Answers

Chosen as BEST ANSWER
- NitinGarg
- May 15, 2023 at 9:06 am
- 0 votes
0
So turns out we can use local firewall rules to restrict the IAM role from being assumed by a specific OS user. This AWS documentation suggests a way to limit access to the instance metadata. For example, the following command makes use of iptables to prevent a user from accessing the instance metadata:
```
sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner --uid-owner user --jump REJECT
```
I have tested this and I can confirm I get the expected results. To showcase this, I ran the following command as both the ec2-user and root user as below:
```
[ec2-user@ip ~]$ aws ec2 describe-tags --region us-east-1
{
    "Tags": [
        {}
}

[root@ip ~]# aws ec2 describe-tags --region us-east-1
{
    "Tags": [
        {}
}
```
As expected, both users are able to assume the IAM role attached to my instance and call the DescribeTags API. I then ran the following command to add a deny rule for ec2-user:
```
[ec2-user@ip ~]$ sudo iptables --append OUTPUT --proto tcp --destination 169.254.169.254 --match owner --uid-owner ec2-user --jump REJECT
```
Now if we run the above commands again on both users:
```
[ec2-user@ip ~]$ aws ec2 describe-tags --region us-east-1
Unable to locate credentials. You can configure credentials by running "aws configure".

[root@ip ~]# aws ec2 describe-tags --region us-east-1
{
    "Tags": [
        {}
}
```
We can see above that ec2-user no longer has access to retrieve the security credentials from the IAM role and therefore cannot assume the role

Note: To implement this successfully, The desired Linux users should be restricted to sudo to the user who has access to the instance metadata.

(Edit)

- JohnRotenstein
- May 3, 2023 at 11:31 pm
- 0 votes
0
It is not possible to limit which Linux users can access the Instance Metadata.

If you do not want it to be accessible to some users, then do not assign an IAM Role to the instance. Any users who require AWS access will need to store credentials in a local file (via aws configure) instead of using Instance Metadata.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.