A well-known AWS security best practice is to require assuming a role to perform sensitive tasks, as opposed to giving those privileges to users directly. As per documentation:
As a best practice, use IAM role temporary credentials to access only the resources you need to do your job (granting least privilege)
For IAM users, create separate roles for specific job tasks and assume those roles for those tasks.
What is the reason behind this best practice (as opposed to granting users the privileges they need to perform the tasks)?
CodePudding user response:
From AWS Official Docs, AWS states that
Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
Yes, the reason behind is because of temporary security credentials which provide you better security postures instead of IAM users with access keys. With IAM users access keys, you need to follow the best practice such as rotation after 90 days or earlier.
With default IAM access key, you only have 2 fields
aws_access_key_id=
aws_secret_access_key=
With IAM role temporary credential, you have 3 fields and the aws_session_token
makes differences.
aws_access_key_id=
aws_secret_access_key=
aws_session_token=
Think about that your Developers may accidentally upload your access key with code into public GitHub repo. Or, you can google with this phase to see what happens?
What happens if you accidentally commit your AWS access keys?
AWS has warned us about this a very long time ago about this best practice. You check them out with below references.
References:
- https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
- https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
CodePudding user response:
It's exactly the same reason why the sudo
command exists.
If you use Admin-level privileges day-to-day, there is a bigger risk of doing something that you'll regret. It's better to only assume higher-level permissions when it is actually required.
For a real-world example, imagine a Fire Fighter who carries an axe and can demand that people evacuate buildings that are on fire. When they visit the grocery store, it would be wrong for them to bring an axe and demand their tomatoes in a booming voice. They should only 'assume the role' of a fire fighter when the extra capabilities are required.
Or, for a more timely example, let's say Thor wants to open a can of beer. He should open it with his fingers rather than using Mjölnir and potentially causing an earthquake.