Context
:
The EC2 instance IAM role privileges grant more permissions than desired to the users who SSH into the instance. Therefore, we want to restrict SSH user access so that it should not automatically assume the EC2 IAM role upon login to the server.
Issue
:
Team A and Team B have access to only their respective set of AWS services while they try to access them via console or via external API calls through IAM credentials. Also, There is an EC2 instance with an IAM role which provides Get:*
permissions to some AWS services because the application running on that server needs it to work properly. So when users from either team log in to this server for some application troubleshooting, they can easily fetch data from those AWS services by assuming the EC2 IAM role even though they are not supposed to access those details.
Expectation
:
Users of either team should not be able to access AWS resources belonging to another team even after login to the EC2 instance. Is there a way to do that or is there any alternate way to design this security constraint?
2
Answers
So turns out we can use local firewall rules to restrict the IAM role from being assumed by a specific OS user. This AWS documentation suggests a way to limit access to the instance metadata. For example, the following command makes use of iptables to prevent a user from accessing the instance metadata:
I have tested this and I can confirm I get the expected results. To showcase this, I ran the following command as both the ec2-user and root user as below:
As expected, both users are able to assume the IAM role attached to my instance and call the DescribeTags API. I then ran the following command to add a deny rule for ec2-user:
Now if we run the above commands again on both users:
We can see above that ec2-user no longer has access to retrieve the security credentials from the IAM role and therefore cannot assume the role
Note: To implement this successfully, The desired Linux users should be restricted to sudo to the user who has access to the instance metadata.
It is not possible to limit which Linux users can access the Instance Metadata.
If you do not want it to be accessible to some users, then do not assign an IAM Role to the instance. Any users who require AWS access will need to store credentials in a local file (via
aws configure
) instead of using Instance Metadata.