Using AWS IAM Service Roles for Applications

Introduction

AWS IAM Roles allow permissions to be granted to applications, servers or services so they can access and use AWS services. For example, granting a server access to write to DynamoDB tables or granting a Lambda function permission to use an SQS queue.

IAM roles are a particularly secure approach, and preferred over IAM Users with access keys since they automatically use temporary rotating security credentials.

IAM Roles have become a critical part of AWS and are used in the configuration of many different services.

In Turbot, custom IAM Roles created for applications are called Service Roles.

Guardrails for Service Roles

Turbot automatically detects, checks and locks down IAM Service Roles - keeping your account safely in control. In particular, there are two areas of control:

  1. Lockdown IAM permissions - ensuring Service Roles in the account are limited to the same permissions as other users in the account.

  2. Restrict Cross-Account Access to roles - IAM Roles can be configured to allow other AWS accounts to assume and use the role. Turbot automatically detects these configurations and denies cross-account access to prevent leaking of data or access to others.

Creating an IAM Role (Service Role)

IAM Roles can be created in Turbot managed AWS accounts by any user with Owner level permissions. Owner level access is required since roles are delegated access to the AWS account.

Turbot considers these application level IAM Roles to be Service Roles. They are a cloud equivalent of Service Accounts.

IAM Roles can be created directly in AWS through the Console or API.

Granting Permissions to Service Roles

After creating a Service Role, it has no permissions to use AWS services. Owners should be sure to add appropriate access permissions to the role for use by their application and services.

Permissions may be granted to roles by:

  1. Using AWS Managed Policies.
  2. Creating custom IAM policies.

Under a least privilege approach, Owners should grant roles only the specific permissions and access it requires. Turbot safely allows direct editing of role permissions since the IAM Lockdown policies are enforced. Be aware that the explicit deny rules created by Turbot will take precedence over any allow policies granted to the role.

Using Service Roles

Service Roles can be used with servers or applications based on the iam:PassRole permission.

Was this article helpful?
0 out of 0 found this helpful