How do you grant access to AWS resources to the third party via roles & external ID?
This topic, “Granting AWS Resources to Third Party via External Id and Roles”, will help you prepare for the AWS Certified Security Specialistty exam. This topic is located under the Identity and Access Management domain, as highlighted in the blueprint for AWS Certified Security Specialty exam.
The exam weight includes 20% for Identity and Access Management domains. This article will be a valuable resource for your AWS Certified Security Specialty exam prep.
Let’s take a common use scenario for consulting companies that require access to AWS resources. A consultant company might need access to AWS resources to perform an audit of a company’s AWS account.
This is not the best way to go. Instead, create an IAM Role that can be assumed and then have access AWS resources (S3 in this case).
This is a typical use case scenario.
Solution: Granting access to AWS resources to third party via roles & external ID
These steps will help you to solve the problem.
First, create an IAM policy to grant access to the S3 bucket. This would be done through the Company AWS account.
Next, we will need to create an IAM role on the Company AWS account. This role would be assigned the policy.
We would make sure that the Consulting AWS account number has the permission to assume this role.
The Consulting AWS account would then assume this role and have access to the underlying S3 bucket.
Let’s take a look at an example using the AWS Console.
Step 1: Assume that you have an AWS bucket called awsproduction345 and an AWS account called Cloud-production
Step 2: Now, let’s go IAM to create a new policy
The JSON below is then added to the S3 bucket.
“Version”: “2012-10-17”, “Statement”: [ “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “s3:GetObject”, “s3:ListBucket”, “s3:GetBucketLocation” ], “Resource”: “arn:aws:s3:::awsproduction345” , “Sid”: “VisualEditor1”, “Effect”: “Allow”, “Action”: “s3:ListAllMyBuckets”, “Resource”: “*” ]
The policy allows you to access the S3 bucket and retrieve the objects.
Step 3: Now let’s create a role
Step 4: Next, make sure that the trusted entity (as shown in the below image) is “Another AWS Account”. Enter the AWS Consulting company’s account number. This would be the number that the consulting company needs to provide.
Step 5 – When it comes time to assign permissions, make sure to assign the IAM Policy that was created in step 1.
Let’s say that we created the policy under the name CrossAccountS3.
Step 6: Next, create the role.
Step 7: Once the role has been created, you will need to give the ARN. The Administrator of the Consulting Company must be given the role ARN.
Step 8: Now, for the consulting company’s to use the role, they must ensure that the user has the ability to assume the role in their account.
Let’s say we are in the consulting company (i.e. 3rd party AWS account Let’s move on to the user who will assume the role.
Step 9: Now, go to the permissions section and click on Add inline policies
Step 10) In JSON editor, add the policy allowing the user to assume that role created in the previous step
Step 11: Once you log in as the user you can now change roles as shown below
Step 12: Provide the account number for the main company’s AWS Account, and specify the Role Name. Then switch roles.
Once you have done this, you can now access the bucket from the production account
Other Related Resources
Working with IAM & Bucket Policy
How to use a Central CloudTrail s3 bucket for multiple AWS accounts?
How do you set up inbound and outbound rules to Security Groups and NACLs
Cross-account roles allow users to access resources in other AWS accounts.
Users can take on the role of having access to the resources in an external account.
The IAM policy will determine what access will be granted to the role.
This is safer than giving Access Keys to access the resources.
This is how to grant access to AWS Resources via roles and external ID. This topic is important to be aware of when you prepare for the AWS Security Specialty exam. We have used the S3 bucket to illustrate the solution. We hope you found this article helpful in understanding the concept of access granting to third parties. After you have completed the preparation, you will be able to check your level of preparation with th