Search code examples
amazon-web-servicesamazon-iamamazon-polly

How to manage 100s of AWS IAM Roles?

We have 3 buckets and many folders in to it.

Currently have 3 roles for managing these buckets so access level can be maintained.

Customer wants to put restrictions on providing access to only certain specific folders.

If we create multiple roles for specific folders, we will end up 100s of different roles.

These IAM roles will be used by Hashi Corp Vault to provide access.

Is there a better to manage and scale AWS IAM roles?

Are there any guidelines on how to manage multiple roles?

Solution

  • You can use prefixes in your IAM Policies to control either IAM Roles or IAM Users.

    There's a great writeup here on IAM User Level permissions on S3 Buckets: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

    But to summarize if you want to go to user level permissions you'll ultimately have one IAM entity per User. Policies will look like the following

    {
  "Version":"2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::*"]
    },
    {
      "Sid": "AllowRootAndHomeListingOfCompanyBucket",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-company"],
      "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}
    },
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": ["s3:ListBucket"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-company"],
      "Condition":{"StringLike":{"s3:prefix":
                  [
                       "home/${aws:username}/*"
                       "home/${aws:username}"
                  ]
               }
        }
    },
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": ["arn:aws:s3:::my-company/home/${aws:username}/*"]
    }
  ]
}

    For Roles you'll follow a similar pattern however you won't need as many IAM roles since many users will likely fall within a similar role and hence can share.

    {
  "Version":"2012-10-17",
  "Statement": [
  ...
    {
       "Sid": "AllowAllS3ActionsInUserFolder",
       "Action":["s3:*"],
       "Effect":"Allow",
       "Resource": [
         "arn:aws:s3:::my-folder-1/${aws:username}/*",
         "arn:aws:s3:::my-folder-2/${aws:username}/*"
       ]
    }
    ...
  ]
}

    Remember in IAM policies you can list multiple resources (folders) and actions (file operations like create, list, etc...) per statement and multiple statements (either allow or deny on the resource action combinations).