IAM 角色将 sts:AssumeRole 限制为一个 AWS Lambda 函数

本文介绍了IAM 角色将 sts:AssumeRole 限制为一个 AWS Lambda 函数的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我担心安全问题.IAM 角色的创建是一种高安全风险，并且您只能指定为可以担任角色的 AWS Lambda 这一事实在 IMO 上还不够好.如果不小心处理，可能会出现特权升级.

如何创建特定于某些 Lambda 函数的 IAM 角色?

我没有发现任何类似的东西，但我相信这是可能的.

此角色还会附加一些政策:

{"Action": "sts:AssumeRole",主要的": {服务":lambda.amazonaws.com"},"Effect": "允许",席德":"}

通常，在其他角色中，您会使用 Principal 子句来决定哪些帐户可以承担该角色.

{"Effect": "允许",主要的": {"AWS": "arn:aws:iam::123456789:root"},"动作": "sts:AssumeRole"}

根据@Michael 在评论中的说法，我不得不说哪些用户可以在哪些角色上使用传递角色，因此问题是，我如何确定哪些用户可以传递此角色?

如果是这样，这个问题的答案将分两步解决.使此角色只能由 Lambda 服务承担(因为它已经存在)，然后为每个用户制定一个包含 PassRole 限制的策略.

解决方案

我就此问题咨询了 AWS 支持.他们说他们目前不*支持假设角色/信任策略中的条件，以通过匹配函数名称模式来限制哪些函数可以承担角色.

相反，他们建议在执行策略中添加条件(而不是假设/信任策略):

{版本":2012-10-17"，声明":[{Sid":WhitelistSpecificLambdaFunction"，效果":拒绝"，动作":*"，资源":*"，条件":{StringNotLike":{aws:userid": AROAUISMSUAFHSJDJURKJ:TestLambda"}}}]}

-- 此策略拒绝访问所有 Lambda 函数，但名称在aws:userid"中提到的特定 Lambda 函数除外.条件键.其他 Lambda 函数将能够承担该角色，但它们将被拒绝执行任何操作，但如果它们只是打印或返回任何变量/数据，则该函数将起作用.

-->注意:条件键aws:userid"指定当前角色的唯一 ID，该键的对应值具有以下格式:role-id:role-session-name".

-- IAM 角色 ID 是AROAUISMSUAFHSJDJURKJ"；对于我使用的示例角色.

-- 对于 Lambda 函数，角色会话名称与 Lambda 函数名称相同.在本示例中，它是TestLambda"，因此 aws:userid 变为aws:userid":AROAUISMSUAFHSJDJURKJ:TestLambda"

* 他们将我的名字添加到添加此功能的现有请求中

I am concerned about security. The creation of IAM Roles is a high security risk, and the fact that you can only specify to be AWS Lambda the one that can assume a role is not good enough IMO. There could be a privilege escalation if not treated with care.

How can I create IAM Roles specific to some Lambda functions?

I haven't found anything similar, but I believe it may be possible.

This role would have also some policies attached:

{
  "Action": "sts:AssumeRole",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Effect": "Allow",
  "Sid": ""
}

Usually, in other roles you would use Principal clause to decide which accounts can assume the role.

{
 "Effect": "Allow",
 "Principal": {
   "AWS": "arn:aws:iam::123456789:root"
 },
 "Action": "sts:AssumeRole"
}

According to @Michael in the comments, I have to say which users can use pass role on which roles, therefore is the question, how can I decide which users exactly can pass this role?

If so, the answer to this question would be solved in two steps. Making this role only assumable by Lambda service (as it is already), and then have a policy with PassRole restrictions for each user.

解决方案

I asked AWS support about this. They said they don't presently* support conditions in the assume_role/trust policy to limit which functions can assume the role by matching a function name pattern.

Instead, they suggested adding conditions to the execution policy (instead of the assume/trust policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "WhitelistSpecificLambdaFunction",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:userid": "AROAUISMSUAFHSJDJURKJ:TestLambda"
                }
            }
        }
    ]
}

* They added my name to an existing request to add this feature

这篇关于IAM 角色将 sts:AssumeRole 限制为一个 AWS Lambda 函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！