ABAC(Assion Access Control) - 세션 태그 기반 Attribute-based access control 시도

12760 단어 AWSABAC
ABAC(Attribute-based access control)를 세션 태그 기반으로 시도했습니다.
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/id_session-tags.html
https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

필요한 물건


AWS 계정

절차.

  • 제작 롤
  • 제작 IAM User
  • Pamameter store 제작
  • 테스트 결과
  • 이번 시도의 구성.


  • IAM User의 정책에서 IAM User의 탭(aws: Principal Tag)과 IAM 스크롤 탭(aws: ResourceTag)을 비교하고 같으면 스크롤 스위치
  • 를 허용한다.
  • IAM Role 정책으로 IAM Role 라벨(aws: Principal Tag)과 SSM Parameter store 라벨(aws: Resource Tag)을 비교하고 같으면 Paramer store에 접근할 수 있습니다.
  • 1. 롤 만들기


    Role


    role
    policy
    tag
    test-stg-role
    test-role-policy
    env:stg
    test-dev-role
    test-role-policy
    env:dev

    Role용 Policy


    test-role-policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "TestAccessSSM",
                "Effect": "Allow",
                "Action": [
                    "ssm:*"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "aws:ResourceTag/env": "${aws:PrincipalTag/env}"
                    }
                }
            }
        ]
    }
    

    Role용 Trust relationship

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    }
    

    2. IAM User 만들기


    IAM User


    role
    policy
    tag
    test-stg
    test-user-policy
    env:stg
    test-dev
    test-user-policy
    env:dev

    IAM User용 Policy


    test-user-policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "TestAssumeRole",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": [
                    "arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role",
                    "arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role"
                ],
                "Condition": {
                    "StringEquals": {
                        "aws:ResourceTag/env": "${aws:PrincipalTag/env}"
                    }
                }
            }
        ]
    }
    

    3. 파라메터 스토어 만들기


    Parameter store


    name
    tag
    value
    test-stg
    env:stg
    임의로
    test-dev
    env:dev
    임의로

    4. 테스트 결과


    4-1. 테스트 결과(롤러 스위치)


    No
    From(User)
    To(Role)
    Result
    1
    test-stg
    test-stg-role
    OK
    2
    test-stg
    test-dev-role
    NG
    3
    test-dev
    test-stg-role
    NG
    4
    test-dev
    test-dev-role
    OK

    1. IAM User: test-stg → Role: test-stg-role

    $ aws sts assume-role \
    > --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role \
    > --role-session-name my-session \
    > --profile test-stg
    {
        "Credentials": {
            "AccessKeyId": "XXXXXX",
            "SecretAccessKey": "XXXXXX",
            "SessionToken": "XXXXXX",
            "Expiration": "2020-02-24T09:08:55+00:00"
        },
        "AssumedRoleUser": {
            "AssumedRoleId": "XXXXXX:my-session",
            "Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-stg-role/my-session"
        }
    }
    

    2. IAM User: test-stg → Role: test-dev-role

    $ aws sts assume-role \
    > --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role \
    > --role-session-name my-session \
    > --profile test-stg
    An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::XXXXXXXXXXXX:user/test-stg is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role
    

    3. IAM User: test-dev → Role: test-stg-role

    $ aws sts assume-role \
    > --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role \
    > --role-session-name my-session \
    > --profile test-dev
    An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::XXXXXXXXXXXX:user/test-dev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/test-stg-role
    

    4. IAM User: test-dev → Role: test-dev-role

    $ aws sts assume-role \
    > --role-arn arn:aws:iam::XXXXXXXXXXXX:role/test-dev-role \
    > --role-session-name my-session \
    > --profile test-dev
    {
        "Credentials": {
            "AccessKeyId": "XXXXXX",
            "SecretAccessKey": "XXXXXX",
            "SessionToken": "XXXXXX",
            "Expiration": "2020-02-24T09:09:52+00:00"
        },
        "AssumedRoleUser": {
            "AssumedRoleId": "XXXXXX:my-session",
            "Arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-dev-role/my-session"
        }
    }
    

    4-2. 테스트 결과(리소스 액세스)


    No
    From(User)
    To(Parameter store)
    Result
    1
    test-stg
    test-stg
    OK
    2
    test-stg
    test-dev
    NG
    3
    test-dev
    test-stg
    NG
    4
    test-dev
    test-dev
    OK

    1. IAM User: test-stg → Parameter Store: test-stg

    $ aws ssm get-parameter --name test-stg --profile test-stg-role
    {
        "Parameter": {
            "Name": "test-stg",
            "Type": "String",
            "Value": "test",
            "Version": 1,
            "LastModifiedDate": "2020-02-24T15:35:40.814000+09:00",
            "ARN": "arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-stg"
        }
    }
    

    2. IAM User: test-stg → Parameter Store: test-dev

    $ aws ssm get-parameter --name test-dev --profile test-stg-role
    An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-stg-role/botocore-session-XXXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-dev
    

    3. IAM User: test-dev → Parameter Store: test-stg

    $ aws ssm get-parameter --name test-stg --profile test-dev-role
    An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/test-dev-role/botocore-session-XXXXXXXXXX is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-stg
    

    4. IAM User: test-dev → Parameter Store: test-dev

    $ aws ssm get-parameter --name test-dev --profile test-dev-role
    {
        "Parameter": {
            "Name": "test-dev",
            "Type": "String",
            "Value": "test",
            "Version": 1,
            "LastModifiedDate": "2020-02-24T15:27:07.440000+09:00",
            "ARN": "arn:aws:ssm:us-east-1:XXXXXXXXXXXX:parameter/test-dev"
        }
    }
    

    감상

  • 태그 기반의 승인으로 이용할 수 있는 서비스가 적고 아직 멀었다.
  • https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
  • 목적지의 전략에서도 스위치 원본의 라벨에 따라 조건을 판단하고 스위치의 허가/거절 조건을 판정할 수 있다.
  • aws: RequestTag의 개념은 매우 어렵다...
  • 좋은 웹페이지 즐겨찾기