Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional AWS authorization mechanisms #35

Open
mtibben opened this issue Jun 27, 2017 · 0 comments
Open

Additional AWS authorization mechanisms #35

mtibben opened this issue Jun 27, 2017 · 0 comments

Comments

@mtibben
Copy link
Member

mtibben commented Jun 27, 2017

From https://cloudonaut.io/aws-security-primer/

Besides IAM Policies, some services use additional authorization mechanism. The services with their own authorization mechanism are:

  • SNS and SQS: A Topic Policy or Queue Policy can open a topic/queue to things like IAM User, IAM Role, AWS Account, or just all of us. This can be handy, but you should think twice before doing so. Most likely, you can use the assume role approach to achieve the same!
  • Glacier: Glacier comes with two types of policies, one to control access, and the other to control modification of archives. The latter is important if you have to enforce that data can not be changed for legal reasons.
  • IoT: As mentioned, IoT Things can authenticate, and the Policy determines what they can do in your AWS account.
  • Lambda: A Lambda Function can be opened for invocation by a Permission. This is needed if you want a “Cron” to trigger your Lambda because this “Cron” is AWS. So AWS needs permissions to invoke your function. Most likely, you can use the assume role approach to achieve the same!
  • S3: S3 is the king of alternative ways for authorization.
    • You can set ACLs on the bucket and object level to give read/write permissions. I recommend no using them. There is no simple way to change all ACLs on the object level. And it is very hard to reason if every object can have different permissions.
    • You can also use a Bucket Policy to give read/write permissions to your bucket/objects. This makes sense if your bucket is public and you ant to give read access to the world.
    • You can also generate pre-signed URLs to give temporary permissions to read or upload objects. This makes sense if you want users to directly upload files from their browser.
  • KMS: Key Policies are the primary way to control access to customer master keys (CMKs) in KMS. On top of that, you can use IAM policies to authorize. The second way to control access are Grants. With a Grant, you can allow another AWS principal (e.g. an AWS account) to use a CMK with some restrictions. You could also implement this with the Key policy, but grants are more flexible to control.

The only additional authorization mechanism iamy supports at the moment is S3 bucket policies. In the interests of making this more of an umbrella tool for AWS authorization, should we support more of these mechanisms?

@mtibben mtibben changed the title Additional authorization points Additional AWS authorization mechanisms Jun 27, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant